Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 00:18
Behavioral task
behavioral1
Sample
8bd6000c423457e34614b28103827b2ea3b1e2cacc4ff07d4936090f078200f8.dll
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
8bd6000c423457e34614b28103827b2ea3b1e2cacc4ff07d4936090f078200f8.dll
Resource
win10v2004-20240508-en
General
-
Target
8bd6000c423457e34614b28103827b2ea3b1e2cacc4ff07d4936090f078200f8.dll
-
Size
95KB
-
MD5
38098115b28513e9953ac978b324aeea
-
SHA1
73271e4c7e37fbb2493ed03f6269ca9dddda8070
-
SHA256
8bd6000c423457e34614b28103827b2ea3b1e2cacc4ff07d4936090f078200f8
-
SHA512
20d56dc6bad1a8899efbc7293c4cc825fae1d40ce0734a8af3971418729b17c0e0cdb4af7fee10ea5efcf648a5268b5d3d3212c61ed18a31c11d5e0d8563b4a8
-
SSDEEP
1536:NkGwueOJxhi6loej9cX8VAU0EgB2AW6dY5pZn4nDx2W6:umivAq7186a4nDxI
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ssqsvqui.exe rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 836 2628 WerFault.exe rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rundll32.exedescription pid process Token: SeSecurityPrivilege 2628 rundll32.exe Token: SeDebugPrivilege 2628 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1692 wrote to memory of 2628 1692 rundll32.exe rundll32.exe PID 1692 wrote to memory of 2628 1692 rundll32.exe rundll32.exe PID 1692 wrote to memory of 2628 1692 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8bd6000c423457e34614b28103827b2ea3b1e2cacc4ff07d4936090f078200f8.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8bd6000c423457e34614b28103827b2ea3b1e2cacc4ff07d4936090f078200f8.dll,#12⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 7043⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2628 -ip 26281⤵