Overview
overview
7Static
static
3Image Logg...er.exe
windows10-2004-x64
7Image Logg...re.dll
windows10-2004-x64
3Image Logg...32.sys
windows10-2004-x64
1Image Logg...64.sys
windows10-2004-x64
1Image Logger/RTFC.dll
windows10-2004-x64
3Image Logg...AL.dll
windows10-2004-x64
3Image Logg...UI.dll
windows10-2004-x64
3Image Logger/RTUI.dll
windows10-2004-x64
3Analysis
-
max time kernel
243s -
max time network
266s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
13-10-2023 13:18
Static task
static1
Behavioral task
behavioral1
Sample
Image Logger/Image Grabber.exe
Resource
win10v2004-20230915-en
Behavioral task
behavioral2
Sample
Image Logger/RTCore.dll
Resource
win10v2004-20230915-en
Behavioral task
behavioral3
Sample
Image Logger/RTCore32.sys
Resource
win10v2004-20230915-en
Behavioral task
behavioral4
Sample
Image Logger/RTCore64.sys
Resource
win10v2004-20230915-en
Behavioral task
behavioral5
Sample
Image Logger/RTFC.dll
Resource
win10v2004-20230915-en
Behavioral task
behavioral6
Sample
Image Logger/RTHAL.dll
Resource
win10v2004-20230915-en
Behavioral task
behavioral7
Sample
Image Logger/RTMUI.dll
Resource
win10v2004-20230915-en
Behavioral task
behavioral8
Sample
Image Logger/RTUI.dll
Resource
win10v2004-20230915-en
General
-
Target
Image Logger/RTHAL.dll
-
Size
653KB
-
MD5
8168295f8ccda92adb1c655545f50321
-
SHA1
442924e466ff2a776d7b412d3d8f087017d35d03
-
SHA256
ab4ada300ef3e0cfb40f34be440edc4b4b7ce2983caef5b463c92c93a53543b3
-
SHA512
97b93a3b63d80a2a3ca51ebc60d48a83fe43d45b0179bb462b305fb1699654cdfad5f32c2a00e4817378310a89f416088fb6903eaa1be8accb9ef890ab3fe4c2
-
SSDEEP
6144:fFLF2uIiNpmlJUAVAviz601DMAZ/FKOXNDLTF3HDMFO1PKM3CIS1i2f7iibXeYDQ:e7emlJNl+GT1FKOXNvZ3DM6jCIh
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2204 4208 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3808 wrote to memory of 4208 3808 rundll32.exe rundll32.exe PID 3808 wrote to memory of 4208 3808 rundll32.exe rundll32.exe PID 3808 wrote to memory of 4208 3808 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\Image Logger\RTHAL.dll",#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\Image Logger\RTHAL.dll",#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 6923⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4208 -ip 42081⤵