Malware Analysis Report

2024-11-30 22:38

Sample ID 230516-s5f1esae41
Target Elected.Styce
SHA256 5f055b2ee3364f00afe1496ee6539a964cd02633aa737da81f54db4b82250242
Tags
score
3/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
3/10

SHA256

5f055b2ee3364f00afe1496ee6539a964cd02633aa737da81f54db4b82250242

Threat Level: Likely benign

The file Elected.Styce was found to be: Likely benign.

Malicious Activity Summary


Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-05-16 15:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-16 15:42

Reported

2023-05-16 15:44

Platform

win7-20230220-en

Max time kernel

31s

Max time network

33s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Elected.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1676 wrote to memory of 1584 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1676 wrote to memory of 1584 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1676 wrote to memory of 1584 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1676 wrote to memory of 1584 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1676 wrote to memory of 1584 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1676 wrote to memory of 1584 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1676 wrote to memory of 1584 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Elected.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Elected.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-16 15:42

Reported

2023-05-16 15:44

Platform

win10v2004-20230220-en

Max time kernel

135s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Elected.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3548 wrote to memory of 5052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3548 wrote to memory of 5052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3548 wrote to memory of 5052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Elected.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Elected.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5052 -ip 5052

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 596

Network

Country Destination Domain Proto
NL 8.253.208.120:80 tcp
NL 8.253.208.120:80 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 123.108.74.40.in-addr.arpa udp
US 52.242.101.226:443 tcp
GB 51.105.71.136:443 tcp
NL 8.253.208.120:80 tcp
US 8.8.8.8:53 203.151.224.20.in-addr.arpa udp
US 52.242.101.226:443 tcp
NL 173.223.113.164:443 tcp
US 52.242.101.226:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp

Files

N/A