Analysis
-
max time kernel
31s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230621-en -
resource tags
arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system -
submitted
23-06-2023 13:00
Behavioral task
behavioral1
Sample
1332-55-0x000007FEF61C0000-0x000007FEF66F2000-memory.dll
Resource
win7-20230621-en
windows7-x64
4 signatures
150 seconds
General
-
Target
1332-55-0x000007FEF61C0000-0x000007FEF66F2000-memory.dll
-
Size
5.2MB
-
MD5
568a4056b2be640984ab8e3693b8605f
-
SHA1
619143881538ae925d4b3bbd36cada5581b4c8af
-
SHA256
7b13d5cea1797ed426be734ac146c7d07eccc743ab41ee2be7134f73a6905836
-
SHA512
8d908573d5863f0993e627cdf571b79e8df62d5dba32ee3352651fa4bab1ccde294f759cac0d6052818ea89e3deb422e06797f336f346d6cde54235ec50e2123
-
SSDEEP
98304:WjpVT7uv9amcCivg0pPb+/I+nuGBQ1ruWBW:WjruvoCiBpPK/DuUWBW
Malware Config
Extracted
Family
systembc
C2
5.42.65.67:4298
localhost.exchange:4298
Signatures
-
Processes:
resource yara_rule behavioral1/memory/2028-55-0x000007FEF6080000-0x000007FEF65B2000-memory.dmp themida -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1092 2028 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 2028 wrote to memory of 1092 2028 rundll32.exe WerFault.exe PID 2028 wrote to memory of 1092 2028 rundll32.exe WerFault.exe PID 2028 wrote to memory of 1092 2028 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1332-55-0x000007FEF61C0000-0x000007FEF66F2000-memory.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2028 -s 562⤵
- Program crash