Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
14-05-2024 12:08
Static task
static1
Behavioral task
behavioral1
Sample
972e71cceda1e90b825a6a656d92ef6377813a30bc03d2719784be42b950fc59.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
972e71cceda1e90b825a6a656d92ef6377813a30bc03d2719784be42b950fc59.dll
Resource
win10v2004-20240508-en
General
-
Target
972e71cceda1e90b825a6a656d92ef6377813a30bc03d2719784be42b950fc59.dll
-
Size
280KB
-
MD5
1d8e58c1e16aa2a08be35a74b749ba2c
-
SHA1
3625b77ddd36475eb67f67227d7b5cce55615660
-
SHA256
972e71cceda1e90b825a6a656d92ef6377813a30bc03d2719784be42b950fc59
-
SHA512
83f3aa41eef75cceb0df77d3bf7381629955fcc8882cd86b96be584781a495551f3e7bd449874f5d2d578036cd1359700835cc3bde8ba31b619be729ba7e29bb
-
SSDEEP
6144:4Ns8V66ErA1M1862IJ0sxVhC3SEPAQWWe:8VOc1i86msx0RHe
Malware Config
Signatures
-
Detect suspicious telegram bot 1 IoCs
Detect suspicious telegram bot.
resource yara_rule behavioral1/memory/1432-0-0x000000006ED40000-0x000000006ED86000-memory.dmp suspicious_telegram_bot -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1960 wrote to memory of 1432 1960 rundll32.exe 28 PID 1960 wrote to memory of 1432 1960 rundll32.exe 28 PID 1960 wrote to memory of 1432 1960 rundll32.exe 28 PID 1960 wrote to memory of 1432 1960 rundll32.exe 28 PID 1960 wrote to memory of 1432 1960 rundll32.exe 28 PID 1960 wrote to memory of 1432 1960 rundll32.exe 28 PID 1960 wrote to memory of 1432 1960 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\972e71cceda1e90b825a6a656d92ef6377813a30bc03d2719784be42b950fc59.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\972e71cceda1e90b825a6a656d92ef6377813a30bc03d2719784be42b950fc59.dll,#12⤵PID:1432
-