Analysis
-
max time kernel
137s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20230831-en -
resource tags
arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system -
submitted
12-09-2023 04:37
Behavioral task
behavioral1
Sample
d8cca32c2f4261b2105be941a6f193b51ecbdf2fa79ed846bc9c7dbb17efb8cd.dll
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
d8cca32c2f4261b2105be941a6f193b51ecbdf2fa79ed846bc9c7dbb17efb8cd.dll
Resource
win10v2004-20230831-en
General
-
Target
d8cca32c2f4261b2105be941a6f193b51ecbdf2fa79ed846bc9c7dbb17efb8cd.dll
-
Size
208KB
-
MD5
150f927e80f301beed5067d68f2e672f
-
SHA1
545d50d84312c1922416127de43c26723e94c3b9
-
SHA256
d8cca32c2f4261b2105be941a6f193b51ecbdf2fa79ed846bc9c7dbb17efb8cd
-
SHA512
5a65f56a1a7ece146ea9a375a9e7cb4547716443071652125d9ddabc2ce62156c398711c79d5fedac179105bedc59231632271de6601e2ac3310723cb5bfa010
-
SSDEEP
3072:LI6CqRCxffkClZ8Ccn7LQlRw6x+Y3CxT2DtK5jdUuY57:LIDff9D8C6XYRw6MT2DEj
Malware Config
Signatures
-
Drops file in System32 directory 1 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{794E4F33-439C-4A90-8F27-11A37CB275CF}.catalogItem svchost.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4528 4912 WerFault.exe rundll32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU svchost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 2288 wrote to memory of 4912 2288 rundll32.exe rundll32.exe PID 2288 wrote to memory of 4912 2288 rundll32.exe rundll32.exe PID 2288 wrote to memory of 4912 2288 rundll32.exe rundll32.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d8cca32c2f4261b2105be941a6f193b51ecbdf2fa79ed846bc9c7dbb17efb8cd.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d8cca32c2f4261b2105be941a6f193b51ecbdf2fa79ed846bc9c7dbb17efb8cd.dll,#12⤵PID:4912
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 6323⤵
- Program crash
PID:4528
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:4184
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4912 -ip 49121⤵PID:404