Analysis
-
max time kernel
142s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
02-06-2023 16:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cultivation.dll
Resource
win7-20230220-en
2 signatures
150 seconds
General
-
Target
cultivation.dll
-
Size
608KB
-
MD5
1158d283b86f29437b945dcbff15d271
-
SHA1
d0ca7f3b857ba502282a82ae999f9cb16252221b
-
SHA256
7e4d95082a010230aa024ac125e0adfffcfa914152219b2ef32b6893fe5ab9d7
-
SHA512
6c69233ce82b1d9794cd995748b634060f2205ca16729f571cc997d35e4034ea6738d0169efec66248e3828a152356d66b27fd7dfe41a7e187ca63fd3b00d1e5
-
SSDEEP
12288:zDxy+2MIBYYimb3oG11xfTUUk0uU7/GQ4vbnWj6:Pg+2MIBYkb4G11hTQ05bGM
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1888 1612 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1620 wrote to memory of 1612 1620 rundll32.exe rundll32.exe PID 1620 wrote to memory of 1612 1620 rundll32.exe rundll32.exe PID 1620 wrote to memory of 1612 1620 rundll32.exe rundll32.exe PID 1620 wrote to memory of 1612 1620 rundll32.exe rundll32.exe PID 1620 wrote to memory of 1612 1620 rundll32.exe rundll32.exe PID 1620 wrote to memory of 1612 1620 rundll32.exe rundll32.exe PID 1620 wrote to memory of 1612 1620 rundll32.exe rundll32.exe PID 1612 wrote to memory of 1888 1612 rundll32.exe WerFault.exe PID 1612 wrote to memory of 1888 1612 rundll32.exe WerFault.exe PID 1612 wrote to memory of 1888 1612 rundll32.exe WerFault.exe PID 1612 wrote to memory of 1888 1612 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cultivation.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cultivation.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 2283⤵
- Program crash
PID:1888