Analysis
-
max time kernel
184s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
31/12/2023, 09:23
Behavioral task
behavioral1
Sample
30bafe5e2d742745a33338d965d41cd6.dll
Resource
win7-20231215-en
2 signatures
150 seconds
Behavioral task
behavioral2
Sample
30bafe5e2d742745a33338d965d41cd6.dll
Resource
win10v2004-20231222-en
2 signatures
150 seconds
General
-
Target
30bafe5e2d742745a33338d965d41cd6.dll
-
Size
743KB
-
MD5
30bafe5e2d742745a33338d965d41cd6
-
SHA1
d89d7be0589426b82748c982e10f512320a5de0b
-
SHA256
1c7c3ed81edd1c033e08fe0be1ed0a37e30bdea6b0b8843d98f5d796806f1861
-
SHA512
fc7c6da19ce4121efb4fe4de4e1321b0a7136e6cc2f06a462c9d5a894522699fabff39d7dc84b30e41162a91dccf77923f0eb95b4e722f14c895b9f18b5bc75b
-
SSDEEP
12288:BEmRWvd469qwwvx9swGImfWLJiijqr4jnOa10RIIibqOLGRIg0M+sgMHF8D/Fx:BEvW6IwyjzsfxwOa10C+VIzpDtx
Score
7/10
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/2756-0-0x0000000000C30000-0x0000000000DE8000-memory.dmp vmprotect behavioral1/memory/2756-2-0x0000000000C30000-0x0000000000DE8000-memory.dmp vmprotect behavioral1/memory/2756-3-0x0000000000C30000-0x0000000000DE8000-memory.dmp vmprotect behavioral1/memory/2756-1-0x0000000000C30000-0x0000000000DE8000-memory.dmp vmprotect behavioral1/memory/2756-4-0x0000000000C30000-0x0000000000DE8000-memory.dmp vmprotect behavioral1/memory/2756-5-0x0000000000C30000-0x0000000000DE8000-memory.dmp vmprotect -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2808 wrote to memory of 2756 2808 rundll32.exe 29 PID 2808 wrote to memory of 2756 2808 rundll32.exe 29 PID 2808 wrote to memory of 2756 2808 rundll32.exe 29 PID 2808 wrote to memory of 2756 2808 rundll32.exe 29 PID 2808 wrote to memory of 2756 2808 rundll32.exe 29 PID 2808 wrote to memory of 2756 2808 rundll32.exe 29 PID 2808 wrote to memory of 2756 2808 rundll32.exe 29
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\30bafe5e2d742745a33338d965d41cd6.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\30bafe5e2d742745a33338d965d41cd6.dll,#12⤵PID:2756
-