Analysis
-
max time kernel
140s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-01-2024 01:22
Behavioral task
behavioral1
Sample
735cd5620753c74d62606ec19744a461.dll
Resource
win7-20231215-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
735cd5620753c74d62606ec19744a461.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
3 signatures
150 seconds
General
-
Target
735cd5620753c74d62606ec19744a461.dll
-
Size
79KB
-
MD5
735cd5620753c74d62606ec19744a461
-
SHA1
28896ea14babe65ff541653e92da5a8435338413
-
SHA256
9d847700d5f05b0b02e9861b4e61c4ae7724b5c899d94500a4ae19c222cbc6c3
-
SHA512
c341ff3e0bd2d18f2eade9d67cde1b1b9875e9dfaa6f90ae52dbbabded72435080ef2159d563341c1b7aa21e0dc60dd216eebac709b62ca400148f2cd5d3ea47
-
SSDEEP
1536:znsKF+NWG6qEPv/Cqaxz469WeCz76G8hVfT08779HxNXKbGmO52nu:zsKF+Nh6qunCqaxs69MzL8hVfdRNlnMu
Score
7/10
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/1808-2-0x00000000001E0000-0x0000000000217000-memory.dmp upx behavioral1/memory/1808-0-0x00000000000F0000-0x0000000000127000-memory.dmp upx behavioral1/memory/1808-4-0x00000000001E0000-0x0000000000217000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2372 1808 WerFault.exe 16 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1808 rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1248 wrote to memory of 1808 1248 rundll32.exe 16 PID 1248 wrote to memory of 1808 1248 rundll32.exe 16 PID 1248 wrote to memory of 1808 1248 rundll32.exe 16 PID 1248 wrote to memory of 1808 1248 rundll32.exe 16 PID 1248 wrote to memory of 1808 1248 rundll32.exe 16 PID 1248 wrote to memory of 1808 1248 rundll32.exe 16 PID 1248 wrote to memory of 1808 1248 rundll32.exe 16 PID 1808 wrote to memory of 2372 1808 rundll32.exe 17 PID 1808 wrote to memory of 2372 1808 rundll32.exe 17 PID 1808 wrote to memory of 2372 1808 rundll32.exe 17 PID 1808 wrote to memory of 2372 1808 rundll32.exe 17
Processes
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\735cd5620753c74d62606ec19744a461.dll,#11⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 6922⤵
- Program crash
PID:2372
-
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\735cd5620753c74d62606ec19744a461.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1248