Analysis
-
max time kernel
133s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
27/05/2024, 11:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NlsData0000.dll
Resource
win10v2004-20240508-en
2 signatures
150 seconds
General
-
Target
NlsData0000.dll
-
Size
1.5MB
-
MD5
91589508a02e5eec8a19423a6509e7e8
-
SHA1
3b8676afb25518c712e02153692aa0ff7dd8efcb
-
SHA256
a66c4f346d0b8ec07d6a861dbfdef315e7fde01d5ca43ede1a6f5e643f74a21b
-
SHA512
dc078155485fb30089bd3925a9fd799e9cab577a02aa8ccfdb37a34c580d82c0afe3effabcf8e3cc058b99924d1ecd72514b2c9a2393410b784e4378ad23030d
-
SSDEEP
24576:XGDSnNLU+fI7sGbEh1BlOy7Aei9fMn04bypry:QQNUeosGULAeifWWry
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 2420 4748 WerFault.exe 82 -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3816 wrote to memory of 4748 3816 rundll32.exe 82 PID 3816 wrote to memory of 4748 3816 rundll32.exe 82 PID 3816 wrote to memory of 4748 3816 rundll32.exe 82
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\NlsData0000.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3816 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\NlsData0000.dll,#12⤵PID:4748
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4748 -s 6003⤵
- Program crash
PID:2420
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4748 -ip 47481⤵PID:2704