Overview
overview
3Static
static
3MSVCR100.dll
windows7-x64
3MSVCR100.dll
windows10-2004-x64
3WebView2Loader.dll
windows7-x64
1WebView2Loader.dll
windows10-2004-x64
3exe.exe
windows7-x64
3exe.exe
windows10-2004-x64
3i7.exe
windows7-x64
1i7.exe
windows10-2004-x64
1jli.dll
windows7-x64
3jli.dll
windows10-2004-x64
3Analysis
-
max time kernel
144s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
23-04-2024 16:12
Static task
static1
Behavioral task
behavioral1
Sample
MSVCR100.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
MSVCR100.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral3
Sample
WebView2Loader.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
WebView2Loader.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
exe.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
exe.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral7
Sample
i7.exe
Resource
win7-20231129-en
Behavioral task
behavioral8
Sample
i7.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral9
Sample
jli.dll
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
jli.dll
Resource
win10v2004-20240412-en
General
-
Target
jli.dll
-
Size
29.8MB
-
MD5
dbf0e80807ecbb72c05600f1b0a8c52e
-
SHA1
37a0bac28f6e88d972e3fc4e45d9226959d6f5f6
-
SHA256
08bbb333532b9c1a045337343f92517721a90e1d03aab1fcd4830b986758fc8c
-
SHA512
c959caea8ba174558f990ca61d1e692a7eb97c8faf41a1e82dd0216797b4991cb0acf166c85ee764f302cd3f874ac2b25ea00e5bd7b76f79b26079d1db2655c9
-
SSDEEP
196608:g9r1VSx657ZURMOgsDxOZQwNH9QkDdfvpn:gLVSAutgskhHSiXZ
Malware Config
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 2016 4828 WerFault.exe 86 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeManageVolumePrivilege 5084 svchost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4696 wrote to memory of 4828 4696 rundll32.exe 86 PID 4696 wrote to memory of 4828 4696 rundll32.exe 86 PID 4696 wrote to memory of 4828 4696 rundll32.exe 86
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\jli.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\jli.dll,#12⤵PID:4828
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 6283⤵
- Program crash
PID:2016
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4828 -ip 48281⤵PID:4120
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:3804
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5084