Analysis
-
max time kernel
174s -
max time network
180s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
15-02-2023 20:26
Static task
static1
Behavioral task
behavioral1
Sample
svhost.dll
Resource
win7-20221111-en
windows7-x64
3 signatures
300 seconds
General
-
Target
svhost.dll
-
Size
179KB
-
MD5
8fcb6fb21b4326466378991e42ce9865
-
SHA1
dd27145d9e4ec4a921b664183a9cbebee568c234
-
SHA256
7dea671be77a2ca5772b86cf8831b02bff0567bce6a3ae023825aa40354f8aca
-
SHA512
b27e95893c3651ac5f1de42924a2ccf01669ed50809ecbb1f0edd1211a754bfc1566b55cda58649162d2d55efbfe61ee470b84f225084e8d277d0c7c77622281
-
SSDEEP
3072:CisRnzAl7X/AZfRn6sbQ6rQ7oWYRq+bWxfMlOrFj2jA2yR4l3LCtrv7fuVfkkIko:C7zMr8Jn6qrQuINtydq5E7
Malware Config
Extracted
Family
systembc
C2
45.77.195.73:443
192.168.1.28:443
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5028 1700 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1960 wrote to memory of 1700 1960 rundll32.exe rundll32.exe PID 1960 wrote to memory of 1700 1960 rundll32.exe rundll32.exe PID 1960 wrote to memory of 1700 1960 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\svhost.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\svhost.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 6283⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1700 -ip 17001⤵