Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
13-02-2024 11:14
Static task
static1
Behavioral task
behavioral1
Sample
PO19223403.scr
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
PO19223403.scr
Resource
win10v2004-20231222-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
Pointment/Kreditgivninger/Campanulous/Blaamejses.ps1
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
Pointment/Kreditgivninger/Campanulous/Blaamejses.ps1
Resource
win10v2004-20231215-en
General
-
Target
$PLUGINSDIR/nsExec.dll
-
Size
6KB
-
MD5
c5b9fe538654a5a259cf64c2455c5426
-
SHA1
db45505fa041af025de53a0580758f3694b9444a
-
SHA256
7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7
-
SHA512
f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa
-
SSDEEP
96:xr7fhfKaGgchPzxK6bq+pKX6D8ZLidGgmkNL38:xxbGgGPzxeX6D8ZyGgmkN
Malware Config
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 2468 2856 WerFault.exe 28 -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2508 wrote to memory of 2856 2508 rundll32.exe 28 PID 2508 wrote to memory of 2856 2508 rundll32.exe 28 PID 2508 wrote to memory of 2856 2508 rundll32.exe 28 PID 2508 wrote to memory of 2856 2508 rundll32.exe 28 PID 2508 wrote to memory of 2856 2508 rundll32.exe 28 PID 2508 wrote to memory of 2856 2508 rundll32.exe 28 PID 2508 wrote to memory of 2856 2508 rundll32.exe 28 PID 2856 wrote to memory of 2468 2856 rundll32.exe 29 PID 2856 wrote to memory of 2468 2856 rundll32.exe 29 PID 2856 wrote to memory of 2468 2856 rundll32.exe 29 PID 2856 wrote to memory of 2468 2856 rundll32.exe 29
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 2283⤵
- Program crash
PID:2468
-
-