Overview
overview
10Static
static
TE04/Ref.lnk
windows7-x64
10TE04/Ref.lnk
windows10-2004-x64
10TE04/syndr...st.cmd
windows7-x64
1TE04/syndr...st.cmd
windows10-2004-x64
1TE04/syndr...ta.dll
windows7-x64
3TE04/syndr...ta.dll
windows10-2004-x64
3TE04/syndr...la.cmd
windows7-x64
1TE04/syndr...la.cmd
windows10-2004-x64
1Analysis
-
max time kernel
207s -
max time network
336s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
07-12-2022 06:46
Static task
static1
Behavioral task
behavioral1
Sample
TE04/Ref.lnk
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
TE04/Ref.lnk
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
TE04/syndrome/destructionist.cmd
Resource
win7-20221111-en
Behavioral task
behavioral4
Sample
TE04/syndrome/destructionist.cmd
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
TE04/syndrome/dicta.dll
Resource
win7-20221111-en
Behavioral task
behavioral6
Sample
TE04/syndrome/dicta.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral7
Sample
TE04/syndrome/dracula.cmd
Resource
win7-20220812-en
Behavioral task
behavioral8
Sample
TE04/syndrome/dracula.cmd
Resource
win10v2004-20220812-en
General
-
Target
TE04/syndrome/dicta.dll
-
Size
596KB
-
MD5
98b6b7eb3a0d889bdfd24130e72e8afd
-
SHA1
46be771ff368e840160bd5e03a45ec93d8fbc3ee
-
SHA256
bf3915a0a3e128b90d5f3c3173c4310e71d458d778d3bb7b9695c18892256120
-
SHA512
b36b8089b59390e3d39e10cedc28c485c317e4df3d01f669e56e817e1b3fb1fb069417c8e9e0022824fc74208b5bee727ad9441d0c5656f43cd3cc93789f67c2
-
SSDEEP
12288:4n8J739YoRmwZBY9bk8OlBf07A4QDXSAIdQFFF7:481FR7tVlDXScn
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 592 1436 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1532 wrote to memory of 1436 1532 rundll32.exe rundll32.exe PID 1532 wrote to memory of 1436 1532 rundll32.exe rundll32.exe PID 1532 wrote to memory of 1436 1532 rundll32.exe rundll32.exe PID 1532 wrote to memory of 1436 1532 rundll32.exe rundll32.exe PID 1532 wrote to memory of 1436 1532 rundll32.exe rundll32.exe PID 1532 wrote to memory of 1436 1532 rundll32.exe rundll32.exe PID 1532 wrote to memory of 1436 1532 rundll32.exe rundll32.exe PID 1436 wrote to memory of 592 1436 rundll32.exe WerFault.exe PID 1436 wrote to memory of 592 1436 rundll32.exe WerFault.exe PID 1436 wrote to memory of 592 1436 rundll32.exe WerFault.exe PID 1436 wrote to memory of 592 1436 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\TE04\syndrome\dicta.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\TE04\syndrome\dicta.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 2243⤵
- Program crash