Analysis
-
max time kernel
140s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 04:17
Behavioral task
behavioral1
Sample
a527e2fffd6dddf3b87f2cb44333b9a8963c8dd56f8ff6bedb484f6abfc80651.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a527e2fffd6dddf3b87f2cb44333b9a8963c8dd56f8ff6bedb484f6abfc80651.dll
Resource
win10v2004-20240508-en
General
-
Target
a527e2fffd6dddf3b87f2cb44333b9a8963c8dd56f8ff6bedb484f6abfc80651.dll
-
Size
76KB
-
MD5
3b8da76aaebec6d8aab5dacfd9fff370
-
SHA1
462c82c2a234ac9269e746f6d0976bd25ced9f00
-
SHA256
a527e2fffd6dddf3b87f2cb44333b9a8963c8dd56f8ff6bedb484f6abfc80651
-
SHA512
6cafe4478155677b9e2a877a1edb25c839442c4ccbfd9f63286d25fc4070986b361a79f313de538858a3a99bfcaef1a65d64225c275056ed8d7c6362000423ea
-
SSDEEP
1536:YjV8y93KQpFQmPLRk7G50zy/riF12jvRyo0hQk7ZjL73:c8y93KQjy7G55riF1cMo03h3
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/2884-0-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2884-1-0x0000000010000000-0x0000000010030000-memory.dmp upx -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1708 2884 WerFault.exe rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 2884 rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2868 wrote to memory of 2884 2868 rundll32.exe rundll32.exe PID 2868 wrote to memory of 2884 2868 rundll32.exe rundll32.exe PID 2868 wrote to memory of 2884 2868 rundll32.exe rundll32.exe PID 2868 wrote to memory of 2884 2868 rundll32.exe rundll32.exe PID 2868 wrote to memory of 2884 2868 rundll32.exe rundll32.exe PID 2868 wrote to memory of 2884 2868 rundll32.exe rundll32.exe PID 2868 wrote to memory of 2884 2868 rundll32.exe rundll32.exe PID 2884 wrote to memory of 1708 2884 rundll32.exe WerFault.exe PID 2884 wrote to memory of 1708 2884 rundll32.exe WerFault.exe PID 2884 wrote to memory of 1708 2884 rundll32.exe WerFault.exe PID 2884 wrote to memory of 1708 2884 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a527e2fffd6dddf3b87f2cb44333b9a8963c8dd56f8ff6bedb484f6abfc80651.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a527e2fffd6dddf3b87f2cb44333b9a8963c8dd56f8ff6bedb484f6abfc80651.dll,#12⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 3083⤵
- Program crash
PID:1708