Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
14/03/2024, 02:07
Static task
static1
Behavioral task
behavioral1
Sample
c7687b50f05109f7685880845f9a6ad4.dll
Resource
win7-20240220-en
General
-
Target
c7687b50f05109f7685880845f9a6ad4.dll
-
Size
456KB
-
MD5
c7687b50f05109f7685880845f9a6ad4
-
SHA1
8696d7e824e0d4f5681126e5304f497abf464f74
-
SHA256
33f2e8bdb251784b40275d4f3755439d4c914937fc6f335185b501259133e504
-
SHA512
5588418bfe8bb73f7e0d340e79d72b8347460df072534789e1cca6b018a3faa7977556b95769ed59bc877f5f748e4080bfd47f6ac9a1bc8abf60fb3c8c7b90af
-
SSDEEP
12288:oV7LMzw56Wx1Dk/qon6xyYhgPFaUVlth9jKajO8FOMr:y1oC3yWgPFv1Ka90U
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1656 rundll32mgr.exe -
Loads dropped DLL 9 IoCs
pid Process 2496 rundll32.exe 2496 rundll32.exe 2928 WerFault.exe 2928 WerFault.exe 2928 WerFault.exe 2928 WerFault.exe 2928 WerFault.exe 2928 WerFault.exe 2928 WerFault.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2928 1656 WerFault.exe 29 -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1640 wrote to memory of 2496 1640 rundll32.exe 28 PID 1640 wrote to memory of 2496 1640 rundll32.exe 28 PID 1640 wrote to memory of 2496 1640 rundll32.exe 28 PID 1640 wrote to memory of 2496 1640 rundll32.exe 28 PID 1640 wrote to memory of 2496 1640 rundll32.exe 28 PID 1640 wrote to memory of 2496 1640 rundll32.exe 28 PID 1640 wrote to memory of 2496 1640 rundll32.exe 28 PID 2496 wrote to memory of 1656 2496 rundll32.exe 29 PID 2496 wrote to memory of 1656 2496 rundll32.exe 29 PID 2496 wrote to memory of 1656 2496 rundll32.exe 29 PID 2496 wrote to memory of 1656 2496 rundll32.exe 29 PID 1656 wrote to memory of 2928 1656 rundll32mgr.exe 30 PID 1656 wrote to memory of 2928 1656 rundll32mgr.exe 30 PID 1656 wrote to memory of 2928 1656 rundll32mgr.exe 30 PID 1656 wrote to memory of 2928 1656 rundll32mgr.exe 30
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c7687b50f05109f7685880845f9a6ad4.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c7687b50f05109f7685880845f9a6ad4.dll,#12⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 1004⤵
- Loads dropped DLL
- Program crash
PID:2928
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD5b229d97259dc81a0da33a726a9bd5f92
SHA15720e02ecfdb2e26730873f1f9f2ff4c9554f463
SHA25636ea4da216ea92b12723415be977e91acb74d06059e0c5925787efaeb450434c
SHA51285e956b5448691b0fa7116f85be83cdd0c847468867d6e57a0801a1ea4a74c3c830867a7f424162986055f576e485a1f9fd52c0108833364113683ba794c8184