Analysis
-
max time kernel
140s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
21-05-2024 05:31
Behavioral task
behavioral1
Sample
WeChatApi.dll
Resource
win7-20240221-en
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
WeChatApi.dll
Resource
win10v2004-20240508-en
3 signatures
150 seconds
General
-
Target
WeChatApi.dll
-
Size
5.0MB
-
MD5
157c57a92635d9c40ddf2eba58284457
-
SHA1
52e10c140fb27849fd2540512cee2771f2fd5649
-
SHA256
324198f66360d0cd7a02d80a10f93cc3e68af49c3f791dcdd2f6a3851ca52f89
-
SHA512
426925ab44ecbbf2c4a0fe2f4dd29d73b17546a920be1154a4440e78ef6d270b5469f900d2a7d115572102e583388448ed72209e21690d0b4e370cabc446b402
-
SSDEEP
98304:0JBv7h2XtZIQipeqGlhAimjMzMMeGStjlyfdvHXx6RBlbXhazbze8cd:U7CZDjqGjAiPzLe5j8lfh+B9X/
Score
7/10
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/4480-0-0x0000000074280000-0x0000000074D74000-memory.dmp vmprotect -
Program crash 1 IoCs
pid pid_target Process procid_target 4700 4480 WerFault.exe 84 -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 264 wrote to memory of 4480 264 rundll32.exe 84 PID 264 wrote to memory of 4480 264 rundll32.exe 84 PID 264 wrote to memory of 4480 264 rundll32.exe 84
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\WeChatApi.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:264 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\WeChatApi.dll,#12⤵PID:4480
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 6283⤵
- Program crash
PID:4700
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4480 -ip 44801⤵PID:4596