Analysis
-
max time kernel
142s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16-05-2024 22:18
Static task
static1
Behavioral task
behavioral1
Sample
QKNM5NMWZO2OKDWPK3COLF1PKYJ8CI4BZ28.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
QKNM5NMWZO2OKDWPK3COLF1PKYJ8CI4BZ28.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
Y79IVWDNW95AXJYRNC41RN49QWGCIS1VJLK23.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Y79IVWDNW95AXJYRNC41RN49QWGCIS1VJLK23.exe
Resource
win10v2004-20240508-en
General
-
Target
QKNM5NMWZO2OKDWPK3COLF1PKYJ8CI4BZ28.dll
-
Size
5.0MB
-
MD5
082163b6bc7a8896d535731874c8d191
-
SHA1
e9f1adf316f6b2afb975acd5a294b0df513fd0dd
-
SHA256
874ec7d6310616a24a6d31244abe030d171308ff12b6bcab3d519ce60bc5b598
-
SHA512
c2b3764faa5f1be5937f424eaa456e7b8a8f0c24e7f8dfe9d7275be20c12878fd3343a4fe43ee8a90784af0bc0ad6d891a73593aabe961c58ad3de6b0650f9b3
-
SSDEEP
49152:NSEMFRCGaY1Z5vSarGzWFV1eamZwpSiGodSKlHsh+RfqEOyLyGl2MysqPtXN3bKl:NjOCGR1L2amZwGodS3NUsveGXww
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2864 2832 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2648 wrote to memory of 2832 2648 rundll32.exe rundll32.exe PID 2648 wrote to memory of 2832 2648 rundll32.exe rundll32.exe PID 2648 wrote to memory of 2832 2648 rundll32.exe rundll32.exe PID 2648 wrote to memory of 2832 2648 rundll32.exe rundll32.exe PID 2648 wrote to memory of 2832 2648 rundll32.exe rundll32.exe PID 2648 wrote to memory of 2832 2648 rundll32.exe rundll32.exe PID 2648 wrote to memory of 2832 2648 rundll32.exe rundll32.exe PID 2832 wrote to memory of 2864 2832 rundll32.exe WerFault.exe PID 2832 wrote to memory of 2864 2832 rundll32.exe WerFault.exe PID 2832 wrote to memory of 2864 2832 rundll32.exe WerFault.exe PID 2832 wrote to memory of 2864 2832 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\QKNM5NMWZO2OKDWPK3COLF1PKYJ8CI4BZ28.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\QKNM5NMWZO2OKDWPK3COLF1PKYJ8CI4BZ28.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 3003⤵
- Program crash