Analysis
-
max time kernel
285s -
max time network
341s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2022 06:33
Static task
static1
Behavioral task
behavioral1
Sample
7ff0f669c10916810edbbf54772b36811250b3ff8208086087906702fffb247f.dll
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
7ff0f669c10916810edbbf54772b36811250b3ff8208086087906702fffb247f.dll
Resource
win10v2004-20221111-en
General
-
Target
7ff0f669c10916810edbbf54772b36811250b3ff8208086087906702fffb247f.dll
-
Size
564KB
-
MD5
aa952608fe5ae9acf13b3ba7d51130a0
-
SHA1
57352f83b167a06242e9010561a80f387fc6d7b7
-
SHA256
7ff0f669c10916810edbbf54772b36811250b3ff8208086087906702fffb247f
-
SHA512
0bf32e8e419b3b58f479dc375ec8d3fc38f5de626f991596b7c2b582feebdc2cae664566f8141c42b111baf39a8820a9a35a501c1402096f6f8450eaea352a60
-
SSDEEP
12288:Yh8fZLyb9PzVMBC/HVMOp4PkxHLCYwZckMQMNZYE6N:Y8F+Pzr/Hfp4MIYwZckMQmGv
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
rundll32mgr.exepid process 4432 rundll32mgr.exe -
Processes:
resource yara_rule C:\Windows\SysWOW64\rundll32mgr.exe upx C:\Windows\SysWOW64\rundll32mgr.exe upx behavioral2/memory/4432-136-0x0000000000400000-0x0000000000461000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1696 4432 WerFault.exe rundll32mgr.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
rundll32.exerundll32.exerundll32mgr.exedescription pid process target process PID 1600 wrote to memory of 3572 1600 rundll32.exe rundll32.exe PID 1600 wrote to memory of 3572 1600 rundll32.exe rundll32.exe PID 1600 wrote to memory of 3572 1600 rundll32.exe rundll32.exe PID 3572 wrote to memory of 4432 3572 rundll32.exe rundll32mgr.exe PID 3572 wrote to memory of 4432 3572 rundll32.exe rundll32mgr.exe PID 3572 wrote to memory of 4432 3572 rundll32.exe rundll32mgr.exe PID 4432 wrote to memory of 1696 4432 rundll32mgr.exe WerFault.exe PID 4432 wrote to memory of 1696 4432 rundll32mgr.exe WerFault.exe PID 4432 wrote to memory of 1696 4432 rundll32mgr.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7ff0f669c10916810edbbf54772b36811250b3ff8208086087906702fffb247f.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7ff0f669c10916810edbbf54772b36811250b3ff8208086087906702fffb247f.dll,#12⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 2604⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4432 -ip 44321⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\rundll32mgr.exeFilesize
129KB
MD50344a3aa574e9d0e0f5593ed1b4cb88b
SHA1951fe2b0b4678199676e71838d91dddf762fa79d
SHA25693f2949add56ea8f8f063c3b313ee701f57a208021fafbe6aac3e9a43a6f3ded
SHA51231e4f5a15a7d15938cbd80638230ddb2cc3acd5060d99b4ea061fe1f186e6165755f2724c5bfe7b509a42e4a4612c95920f14d509a3f8c7b68b19e994fa7afdc
-
C:\Windows\SysWOW64\rundll32mgr.exeFilesize
129KB
MD50344a3aa574e9d0e0f5593ed1b4cb88b
SHA1951fe2b0b4678199676e71838d91dddf762fa79d
SHA25693f2949add56ea8f8f063c3b313ee701f57a208021fafbe6aac3e9a43a6f3ded
SHA51231e4f5a15a7d15938cbd80638230ddb2cc3acd5060d99b4ea061fe1f186e6165755f2724c5bfe7b509a42e4a4612c95920f14d509a3f8c7b68b19e994fa7afdc
-
memory/1696-137-0x0000000000000000-mapping.dmp
-
memory/3572-132-0x0000000000000000-mapping.dmp
-
memory/4432-133-0x0000000000000000-mapping.dmp
-
memory/4432-136-0x0000000000400000-0x0000000000461000-memory.dmpFilesize
388KB