Analysis
-
max time kernel
5s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
04-12-2022 17:53
Static task
static1
Behavioral task
behavioral1
Sample
c30cfdb6e38718dcd696f1eacc990fee787f63bb0f36f1703033c79b21080f60.dll
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
c30cfdb6e38718dcd696f1eacc990fee787f63bb0f36f1703033c79b21080f60.dll
Resource
win10v2004-20221111-en
General
-
Target
c30cfdb6e38718dcd696f1eacc990fee787f63bb0f36f1703033c79b21080f60.dll
-
Size
308KB
-
MD5
48501ad3bc7a31a3cf83366db3db5367
-
SHA1
8ebb519b812a1f3ac9cfde0bb35addfa7939128a
-
SHA256
c30cfdb6e38718dcd696f1eacc990fee787f63bb0f36f1703033c79b21080f60
-
SHA512
ba2ba3a3522c3c2e379942274b1a13ff27b6b6feb2012bfd437444e965400888447f42b3df5724669181a6cdd922e9179f37cf2d5c282aee3b6448f6c4887e8b
-
SSDEEP
6144:saVQbrcA0ucRg55Vk2jRP66MGc1jmv3YjxRd000a8kTrQajpLTB8uroAhs:2bsucRgBkkRyP1d8g8kTrbjpLTKu7u
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1280 1740 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 1740 rundll32.exe 1740 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 1740 rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1296 wrote to memory of 1740 1296 rundll32.exe rundll32.exe PID 1296 wrote to memory of 1740 1296 rundll32.exe rundll32.exe PID 1296 wrote to memory of 1740 1296 rundll32.exe rundll32.exe PID 1296 wrote to memory of 1740 1296 rundll32.exe rundll32.exe PID 1296 wrote to memory of 1740 1296 rundll32.exe rundll32.exe PID 1296 wrote to memory of 1740 1296 rundll32.exe rundll32.exe PID 1296 wrote to memory of 1740 1296 rundll32.exe rundll32.exe PID 1740 wrote to memory of 1280 1740 rundll32.exe WerFault.exe PID 1740 wrote to memory of 1280 1740 rundll32.exe WerFault.exe PID 1740 wrote to memory of 1280 1740 rundll32.exe WerFault.exe PID 1740 wrote to memory of 1280 1740 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c30cfdb6e38718dcd696f1eacc990fee787f63bb0f36f1703033c79b21080f60.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c30cfdb6e38718dcd696f1eacc990fee787f63bb0f36f1703033c79b21080f60.dll,#12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 3323⤵
- Program crash