Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
25-01-2024 16:01
Static task
static1
Behavioral task
behavioral1
Sample
74ebc4f7d1faa17cffe70c1c370ca3c4.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
74ebc4f7d1faa17cffe70c1c370ca3c4.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/kaxgcem.dll
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/kaxgcem.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/nsisunz.dll
Resource
win7-20231215-en
General
-
Target
$PLUGINSDIR/kaxgcem.dll
-
Size
153KB
-
MD5
64ffd6dbd03f55408fbc6640317368f0
-
SHA1
227d86d47d53d5f62a2227e6d2b282519d38005d
-
SHA256
b8d9b2c53ea62560b03c2ef9f139370380b4c931d1fc02172bc7e1a98e41ffc3
-
SHA512
ba03c31e00ec24a7bd4e59088feaee3eb389b459cbd041613222f95d9ea1689920127d390d81c2e0000ccf72f67a2043cf81dd324cab3c887003aa93783501c8
-
SSDEEP
3072:GIM31De7jBYnZRWxnXnCjTDX/+dG/QsSauQ:9M31EzyjTjIGcQ
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2184 2372 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1652 wrote to memory of 2372 1652 rundll32.exe rundll32.exe PID 1652 wrote to memory of 2372 1652 rundll32.exe rundll32.exe PID 1652 wrote to memory of 2372 1652 rundll32.exe rundll32.exe PID 1652 wrote to memory of 2372 1652 rundll32.exe rundll32.exe PID 1652 wrote to memory of 2372 1652 rundll32.exe rundll32.exe PID 1652 wrote to memory of 2372 1652 rundll32.exe rundll32.exe PID 1652 wrote to memory of 2372 1652 rundll32.exe rundll32.exe PID 2372 wrote to memory of 2184 2372 rundll32.exe WerFault.exe PID 2372 wrote to memory of 2184 2372 rundll32.exe WerFault.exe PID 2372 wrote to memory of 2184 2372 rundll32.exe WerFault.exe PID 2372 wrote to memory of 2184 2372 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\kaxgcem.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\kaxgcem.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 2203⤵
- Program crash
PID:2184