Analysis
-
max time kernel
141s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
07/12/2023, 16:51
Behavioral task
behavioral1
Sample
otc2legacy1.dll
Resource
win10v2004-20231127-en
4 signatures
150 seconds
General
-
Target
otc2legacy1.dll
-
Size
32.0MB
-
MD5
37923a2464a0de6acbc234193598498f
-
SHA1
5e616e742c7b9cb538927540edbe76234bde5f0b
-
SHA256
b91cfd8ada00477fcd49b40cc257eebe0ead1f2b6836078d8dc5df9a845f8a7e
-
SHA512
a0be3a3381f12a82f3025413748b13fb223cff0d8774dedb686a1aecf4724e321a10938d8e303d08a83ba2ba19b9e450a1c2207523374de3e1d6fac4081426de
-
SSDEEP
196608:30dk1oOVc2xUMFC/ynUCy5PlzgOgLAd5VuS/pJdJvC8MBAFokMlucABs:kemOO2KZ/yUC6NzI5yPK8MBAFokMcS
Score
7/10
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/4632-1-0x0000000073100000-0x0000000075104000-memory.dmp vmprotect behavioral1/memory/4632-2-0x0000000073100000-0x0000000075104000-memory.dmp vmprotect -
Program crash 1 IoCs
pid pid_target Process procid_target 2308 4632 WerFault.exe 88 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4632 rundll32.exe 4632 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4304 wrote to memory of 4632 4304 rundll32.exe 88 PID 4304 wrote to memory of 4632 4304 rundll32.exe 88 PID 4304 wrote to memory of 4632 4304 rundll32.exe 88
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\otc2legacy1.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\otc2legacy1.dll,#12⤵
- Suspicious behavior: EnumeratesProcesses
PID:4632 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 5683⤵
- Program crash
PID:2308
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4632 -ip 46321⤵PID:4132