Analysis
-
max time kernel
135s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
25-05-2024 18:10
Static task
static1
Behavioral task
behavioral1
Sample
RoweHack/Lunar.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
RoweHack/Oni.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
RoweHack/RoweHack.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
RoweHack/bin/d3dcompiler_47.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
RoweHack/bin/msvcp140.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
RoweHack/bin/onih.dll
Resource
win10v2004-20240426-en
General
-
Target
RoweHack/bin/d3dcompiler_47.dll
-
Size
3.5MB
-
MD5
6bc4ada9a7cab72f49c564e6c86b4c3e
-
SHA1
f0fba01542a0fbe585106f7efd884df65e8c89dc
-
SHA256
7d0d1290382ea0e44a3178446a0c202696237e27dbb5f8f0827691092b8f2228
-
SHA512
d7ec39514c104b40a42cd3ca956ba84f5a78f237a39f40d85ba54983145bce2dfbc7ec5e0cbc1bf8ab64d1d370371a7cba5e30202d2c1f37782db32486ed7f6e
-
SSDEEP
49152:nqr33AJsOB8SLXId6mEjWEmNZMKRMbDhQc6555Rqp28ITdGS90tQhveWja37PLE3:nyUa6PcMbWD86dGZR
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4248 4136 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 740 wrote to memory of 4136 740 rundll32.exe rundll32.exe PID 740 wrote to memory of 4136 740 rundll32.exe rundll32.exe PID 740 wrote to memory of 4136 740 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\RoweHack\bin\d3dcompiler_47.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\RoweHack\bin\d3dcompiler_47.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 6123⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4136 -ip 41361⤵