Overview
overview
10Static
static
Ref.lnk
windows10-1703-x64
10Ref.lnk
windows7-x64
10engenderin...ry.dll
windows10-1703-x64
engenderin...ry.dll
windows7-x64
3engenderin...ng.cmd
windows10-1703-x64
1engenderin...ng.cmd
windows7-x64
1engendering/suite.cmd
windows10-1703-x64
1engendering/suite.cmd
windows7-x64
1Analysis
-
max time kernel
37s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
07-12-2022 16:11
Static task
static1
Behavioral task
behavioral1
Sample
Ref.lnk
Resource
win10-20220812-en
Behavioral task
behavioral2
Sample
Ref.lnk
Resource
win7-20221111-en
Behavioral task
behavioral3
Sample
engendering/catenary.dll
Resource
win10-20220901-en
Behavioral task
behavioral4
Sample
engendering/catenary.dll
Resource
win7-20221111-en
Behavioral task
behavioral5
Sample
engendering/exiting.cmd
Resource
win10-20220812-en
Behavioral task
behavioral6
Sample
engendering/exiting.cmd
Resource
win7-20221111-en
Behavioral task
behavioral7
Sample
engendering/suite.cmd
Resource
win10-20220812-en
Behavioral task
behavioral8
Sample
engendering/suite.cmd
Resource
win7-20221111-en
General
-
Target
engendering/catenary.dll
-
Size
596KB
-
MD5
740ef7c49bbf7b6dc80ada0cb1b8f824
-
SHA1
233dae2d621fe77935ca3d4ca1dd07b3e956914c
-
SHA256
5b88a129b9138aea014f1425f5b28f5937e657d778a681c0e5685481d6eefc54
-
SHA512
59b44da52b911e16ce00b19937739cd267931535232f317bbcfdafc24c59180ce295d156847c7bcbae2e00a16c2291f12d79ab4ac4716c41cb7465298a75b88a
-
SSDEEP
12288:4n8H739YoRmwZBY9bk8OlBf07A4QDXSAIdQFFF7:48bFR7tVlDXScn
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 564 1976 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1628 wrote to memory of 1976 1628 rundll32.exe rundll32.exe PID 1628 wrote to memory of 1976 1628 rundll32.exe rundll32.exe PID 1628 wrote to memory of 1976 1628 rundll32.exe rundll32.exe PID 1628 wrote to memory of 1976 1628 rundll32.exe rundll32.exe PID 1628 wrote to memory of 1976 1628 rundll32.exe rundll32.exe PID 1628 wrote to memory of 1976 1628 rundll32.exe rundll32.exe PID 1628 wrote to memory of 1976 1628 rundll32.exe rundll32.exe PID 1976 wrote to memory of 564 1976 rundll32.exe WerFault.exe PID 1976 wrote to memory of 564 1976 rundll32.exe WerFault.exe PID 1976 wrote to memory of 564 1976 rundll32.exe WerFault.exe PID 1976 wrote to memory of 564 1976 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\engendering\catenary.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\engendering\catenary.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 2243⤵
- Program crash