Analysis
-
max time kernel
144s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
19-01-2024 11:26
Behavioral task
behavioral1
Sample
6781197c92bc19798b92411306f5d99e.dll
Resource
win7-20231129-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
6781197c92bc19798b92411306f5d99e.dll
Resource
win10v2004-20231222-en
windows10-2004-x64
3 signatures
150 seconds
General
-
Target
6781197c92bc19798b92411306f5d99e.dll
-
Size
171KB
-
MD5
6781197c92bc19798b92411306f5d99e
-
SHA1
e2a944f8453137ea0e1a081c004ecf33b4fe9d5e
-
SHA256
cfb568ffa756f889f2fef28e17c1fb9388603ccbae27ab3cdc491914d298e81e
-
SHA512
86580a860e02ee6f56078200ccd9eb5f7613a3c8076f8272ded432a389ebdf31535a9e854eee019b7eeced4fdc1d5e77d4d217076b34d369ca6fbdaffc19f68a
-
SSDEEP
3072:pXgNfqDLdhcCu5Q+Mc29SPSuQlTBPvOLkonVpoNABc4N1vhCsOGHboutA:pwkUc8KJlU4on3DyYCsroS
Score
7/10
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/2056-0-0x00000000007C0000-0x000000000080B000-memory.dmp upx behavioral2/memory/2056-1-0x00000000007C0000-0x000000000080B000-memory.dmp upx -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1816 2056 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 324 wrote to memory of 2056 324 rundll32.exe rundll32.exe PID 324 wrote to memory of 2056 324 rundll32.exe rundll32.exe PID 324 wrote to memory of 2056 324 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6781197c92bc19798b92411306f5d99e.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6781197c92bc19798b92411306f5d99e.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 5443⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2056 -ip 20561⤵