Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2023, 12:39
Behavioral task
behavioral1
Sample
36753b4e0c6f797e3dec502350619929.dll
Resource
win7-20231129-en
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
36753b4e0c6f797e3dec502350619929.dll
Resource
win10v2004-20231222-en
5 signatures
150 seconds
General
-
Target
36753b4e0c6f797e3dec502350619929.dll
-
Size
6.3MB
-
MD5
36753b4e0c6f797e3dec502350619929
-
SHA1
cadbe1ed88d23a44ec0655e8a4a5cea644435108
-
SHA256
d1b39b582a79fc52b7d49015c757ee747fddcfde0c16441b68bb5e72dce8ceba
-
SHA512
96ee897ba371b7aec68e4604845bece5bf79083326724f6840525412e823b0e11acf8085429f6cf3c65b8868f8df3f1e15efa739701a1163ff2af1d4b8c9d95c
-
SSDEEP
98304:HIXHCYrOtuZGHlQTCZOWE/R4HKuZYAp0ctSrdXzaDbq+VGPtmr97/vXE:HIXimOtu+LGeQAqgGgNz57k
Score
7/10
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/436-0-0x0000000074260000-0x0000000074DD5000-memory.dmp vmprotect behavioral2/memory/436-3-0x0000000074260000-0x0000000074DD5000-memory.dmp vmprotect -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 436 rundll32.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 1004 436 WerFault.exe 22 1680 436 WerFault.exe 22 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 436 rundll32.exe 436 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2656 wrote to memory of 436 2656 rundll32.exe 22 PID 2656 wrote to memory of 436 2656 rundll32.exe 22 PID 2656 wrote to memory of 436 2656 rundll32.exe 22
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\36753b4e0c6f797e3dec502350619929.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\36753b4e0c6f797e3dec502350619929.dll,#12⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:436 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 2363⤵
- Program crash
PID:1004
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 5923⤵
- Program crash
PID:1680
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 436 -ip 4361⤵PID:2472
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 436 -ip 4361⤵PID:1504