Analysis
-
max time kernel
177s -
max time network
196s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
04-12-2022 17:53
Static task
static1
Behavioral task
behavioral1
Sample
c30cfdb6e38718dcd696f1eacc990fee787f63bb0f36f1703033c79b21080f60.dll
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
c30cfdb6e38718dcd696f1eacc990fee787f63bb0f36f1703033c79b21080f60.dll
Resource
win10v2004-20221111-en
General
-
Target
c30cfdb6e38718dcd696f1eacc990fee787f63bb0f36f1703033c79b21080f60.dll
-
Size
308KB
-
MD5
48501ad3bc7a31a3cf83366db3db5367
-
SHA1
8ebb519b812a1f3ac9cfde0bb35addfa7939128a
-
SHA256
c30cfdb6e38718dcd696f1eacc990fee787f63bb0f36f1703033c79b21080f60
-
SHA512
ba2ba3a3522c3c2e379942274b1a13ff27b6b6feb2012bfd437444e965400888447f42b3df5724669181a6cdd922e9179f37cf2d5c282aee3b6448f6c4887e8b
-
SSDEEP
6144:saVQbrcA0ucRg55Vk2jRP66MGc1jmv3YjxRd000a8kTrQajpLTB8uroAhs:2bsucRgBkkRyP1d8g8kTrbjpLTKu7u
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3364 4504 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
rundll32.exepid process 4504 rundll32.exe 4504 rundll32.exe 4504 rundll32.exe 4504 rundll32.exe 4504 rundll32.exe 4504 rundll32.exe 4504 rundll32.exe 4504 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 4504 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1444 wrote to memory of 4504 1444 rundll32.exe rundll32.exe PID 1444 wrote to memory of 4504 1444 rundll32.exe rundll32.exe PID 1444 wrote to memory of 4504 1444 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c30cfdb6e38718dcd696f1eacc990fee787f63bb0f36f1703033c79b21080f60.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c30cfdb6e38718dcd696f1eacc990fee787f63bb0f36f1703033c79b21080f60.dll,#12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 6803⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4504 -ip 45041⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4504-132-0x0000000000000000-mapping.dmp