Analysis
-
max time kernel
315s -
max time network
1580s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
submitted
23/05/2024, 17:53
Behavioral task
behavioral1
Sample
femordial.dll
Resource
win10-20240404-en
windows10-1703-x64
9 signatures
1800 seconds
Behavioral task
behavioral2
Sample
femordial.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
2 signatures
1800 seconds
General
-
Target
femordial.dll
-
Size
36.1MB
-
MD5
38bf550f8d73ea9791d7778d9b6b44a8
-
SHA1
67bf70a4d78f9f18b1af30cd9c85c632b52188c1
-
SHA256
ed6566cd8828d0d9a7bd2bd7731df7703977d9b18fa7ede31bb8b1835b12da78
-
SHA512
cfff6d55b90a42be22d09aaf30eed718b71fff8bfddab2404e968359a18ab8aec679a4ca85e144d3527602fd515a03724e897addd68865e796b0a387f582fd7f
-
SSDEEP
393216:g4S82OrtN+zJkGsF20dH5ZXtpKjzw1QxgvLqmNAmjpy:7OOrtN+zJkGsF2OZZXuv4GcLjp
Score
4/10
Malware Config
Signatures
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\rescache\_merged\4183903823\2290032291.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\715946058.pri taskmgr.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 1212 752 WerFault.exe 74 4376 752 WerFault.exe 74 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2212 taskmgr.exe Token: SeSystemProfilePrivilege 2212 taskmgr.exe Token: SeCreateGlobalPrivilege 2212 taskmgr.exe Token: 33 2212 taskmgr.exe Token: SeIncBasePriorityPrivilege 2212 taskmgr.exe -
Suspicious use of FindShellTrayWindow 38 IoCs
pid Process 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe -
Suspicious use of SendNotifyMessage 38 IoCs
pid Process 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe 2212 taskmgr.exe -
Suspicious use of WriteProcessMemory 51 IoCs
description pid Process procid_target PID 928 wrote to memory of 752 928 rundll32.exe 74 PID 928 wrote to memory of 752 928 rundll32.exe 74 PID 928 wrote to memory of 752 928 rundll32.exe 74 PID 4112 wrote to memory of 4296 4112 cmd.exe 86 PID 4112 wrote to memory of 4296 4112 cmd.exe 86 PID 4112 wrote to memory of 2996 4112 cmd.exe 88 PID 4112 wrote to memory of 2996 4112 cmd.exe 88 PID 4112 wrote to memory of 4592 4112 cmd.exe 89 PID 4112 wrote to memory of 4592 4112 cmd.exe 89 PID 4112 wrote to memory of 2556 4112 cmd.exe 90 PID 4112 wrote to memory of 2556 4112 cmd.exe 90 PID 4112 wrote to memory of 4388 4112 cmd.exe 91 PID 4112 wrote to memory of 4388 4112 cmd.exe 91 PID 4112 wrote to memory of 204 4112 cmd.exe 92 PID 4112 wrote to memory of 204 4112 cmd.exe 92 PID 4112 wrote to memory of 1324 4112 cmd.exe 93 PID 4112 wrote to memory of 1324 4112 cmd.exe 93 PID 4112 wrote to memory of 3812 4112 cmd.exe 94 PID 4112 wrote to memory of 3812 4112 cmd.exe 94 PID 4112 wrote to memory of 528 4112 cmd.exe 95 PID 4112 wrote to memory of 528 4112 cmd.exe 95 PID 4112 wrote to memory of 1764 4112 cmd.exe 96 PID 4112 wrote to memory of 1764 4112 cmd.exe 96 PID 4112 wrote to memory of 696 4112 cmd.exe 97 PID 4112 wrote to memory of 696 4112 cmd.exe 97 PID 4112 wrote to memory of 4448 4112 cmd.exe 98 PID 4112 wrote to memory of 4448 4112 cmd.exe 98 PID 4112 wrote to memory of 3248 4112 cmd.exe 99 PID 4112 wrote to memory of 3248 4112 cmd.exe 99 PID 4112 wrote to memory of 700 4112 cmd.exe 100 PID 4112 wrote to memory of 700 4112 cmd.exe 100 PID 4112 wrote to memory of 4168 4112 cmd.exe 101 PID 4112 wrote to memory of 4168 4112 cmd.exe 101 PID 4112 wrote to memory of 1016 4112 cmd.exe 102 PID 4112 wrote to memory of 1016 4112 cmd.exe 102 PID 4112 wrote to memory of 4792 4112 cmd.exe 103 PID 4112 wrote to memory of 4792 4112 cmd.exe 103 PID 4112 wrote to memory of 1940 4112 cmd.exe 104 PID 4112 wrote to memory of 1940 4112 cmd.exe 104 PID 4112 wrote to memory of 988 4112 cmd.exe 105 PID 4112 wrote to memory of 988 4112 cmd.exe 105 PID 4112 wrote to memory of 3796 4112 cmd.exe 106 PID 4112 wrote to memory of 3796 4112 cmd.exe 106 PID 4112 wrote to memory of 424 4112 cmd.exe 107 PID 4112 wrote to memory of 424 4112 cmd.exe 107 PID 4112 wrote to memory of 4276 4112 cmd.exe 108 PID 4112 wrote to memory of 4276 4112 cmd.exe 108 PID 4112 wrote to memory of 4352 4112 cmd.exe 109 PID 4112 wrote to memory of 4352 4112 cmd.exe 109 PID 4112 wrote to memory of 3708 4112 cmd.exe 110 PID 4112 wrote to memory of 3708 4112 cmd.exe 110
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\femordial.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\femordial.dll,#12⤵
- System Location Discovery: System Language Discovery
PID:752 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 752 -s 6043⤵
- Program crash
PID:1212
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 752 -s 8203⤵
- Program crash
PID:4376
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1596
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {24AC8F2B-4D4A-4C17-9607-6A4B14068F97} -Embedding1⤵PID:1740
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Windows\system32\rundll32.exerundll32.exe femordial.dll2⤵PID:4296
-
-
C:\Windows\system32\rundll32.exerundll32.exe femordial.dll2⤵PID:2996
-
-
C:\Windows\system32\rundll32.exerundll32.exe femordial.dll2⤵PID:4592
-
-
C:\Windows\system32\rundll32.exerundll32.exe femordial.dll2⤵PID:2556
-
-
C:\Windows\system32\rundll32.exerundll32.exe femordial.dll2⤵PID:4388
-
-
C:\Windows\system32\rundll32.exerundll32.exe femordial.dll2⤵PID:204
-
-
C:\Windows\system32\rundll32.exerundll32.exe femordial.dll2⤵PID:1324
-
-
C:\Windows\system32\rundll32.exerundll32.exe femordial.dll2⤵PID:3812
-
-
C:\Windows\system32\rundll32.exerundll32.exe femordial.dll2⤵PID:528
-
-
C:\Windows\system32\rundll32.exerundll32.exe femordial.dll2⤵PID:1764
-
-
C:\Windows\system32\rundll32.exerundll32.exe femordial.dll2⤵PID:696
-
-
C:\Windows\system32\rundll32.exerundll32.exe femordial.dll2⤵PID:4448
-
-
C:\Windows\system32\rundll32.exerundll32.exe femordial.dll2⤵PID:3248
-
-
C:\Windows\system32\rundll32.exerundll32.exe femordial.dll2⤵PID:700
-
-
C:\Windows\system32\rundll32.exerundll32.exe femordial.dll2⤵PID:4168
-
-
C:\Windows\system32\rundll32.exerundll32.exe femordial.dll2⤵PID:1016
-
-
C:\Windows\system32\rundll32.exerundll32.exe femordial.dll2⤵PID:4792
-
-
C:\Windows\system32\rundll32.exerundll32.exe femordial.dll2⤵PID:1940
-
-
C:\Windows\system32\rundll32.exerundll32.exe femordial.dll2⤵PID:988
-
-
C:\Windows\system32\rundll32.exerundll32.exe femordial.dll2⤵PID:3796
-
-
C:\Windows\system32\rundll32.exerundll32.exe femordial.dll2⤵PID:424
-
-
C:\Windows\system32\rundll32.exerundll32.exe femordial.dll2⤵PID:4276
-
-
C:\Windows\system32\rundll32.exerundll32.exe femordial.dll2⤵PID:4352
-
-
C:\Windows\system32\rundll32.exerundll32.exe femordial.dll2⤵PID:3708
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2212