Analysis
-
max time kernel
130s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 04:13
Behavioral task
behavioral1
Sample
a41012d7605e59fb9d4d16726c50b7c33d3e834c342c7abf19ab23c9a904bfcc.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
a41012d7605e59fb9d4d16726c50b7c33d3e834c342c7abf19ab23c9a904bfcc.dll
Resource
win10v2004-20240426-en
General
-
Target
a41012d7605e59fb9d4d16726c50b7c33d3e834c342c7abf19ab23c9a904bfcc.dll
-
Size
76KB
-
MD5
941df7cfe012dadd56262ed993cec110
-
SHA1
e02721e5a3bb7ce299b037e86407c13c71026360
-
SHA256
a41012d7605e59fb9d4d16726c50b7c33d3e834c342c7abf19ab23c9a904bfcc
-
SHA512
fb2bd91bc580daab718a5172973f1978cb041e5b4f68a73764aad8fb7d71a0bcedcae6998c798c21958b00f3a90575d75e97984c80750d4fb63c85be9e88f992
-
SSDEEP
1536:YjV8y93KQpFQmPLRk7G50zy/riF12jvRyo0hQk7ZEBWC:c8y93KQjy7G55riF1cMo03Gd
Malware Config
Signatures
-
Modifies AppInit DLL entries 2 TTPs
-
Processes:
resource yara_rule behavioral2/memory/4484-0-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/4484-1-0x0000000010000000-0x0000000010030000-memory.dmp upx -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2544 4484 WerFault.exe rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 4484 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1956 wrote to memory of 4484 1956 rundll32.exe rundll32.exe PID 1956 wrote to memory of 4484 1956 rundll32.exe rundll32.exe PID 1956 wrote to memory of 4484 1956 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a41012d7605e59fb9d4d16726c50b7c33d3e834c342c7abf19ab23c9a904bfcc.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a41012d7605e59fb9d4d16726c50b7c33d3e834c342c7abf19ab23c9a904bfcc.dll,#12⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 7003⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4484 -ip 44841⤵