Analysis
-
max time kernel
140s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
10/06/2024, 22:40
Behavioral task
behavioral1
Sample
6099efc294e4a3afca69f57409d4108609ba124fc2a9c727a4380037b1f87603.dll
Resource
win7-20231129-en
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
6099efc294e4a3afca69f57409d4108609ba124fc2a9c727a4380037b1f87603.dll
Resource
win10v2004-20240508-en
6 signatures
150 seconds
General
-
Target
6099efc294e4a3afca69f57409d4108609ba124fc2a9c727a4380037b1f87603.dll
-
Size
76KB
-
MD5
5c393a405ea238348c8dbc74ff21ed68
-
SHA1
09ef0a70b3599823f5077fe7b3efd85363e00d58
-
SHA256
6099efc294e4a3afca69f57409d4108609ba124fc2a9c727a4380037b1f87603
-
SHA512
8f2d09670931fc51c695bbf4557655249a7589d0a19dda9278d9634e7306e67688d4ebc35077056dce7e8d1c771c042ab8c32b5a363d108ecee5bfa240e55b9f
-
SSDEEP
1536:YjV8y93KQpFQmPLRk7G50zy/riF12jvRyo0hQk7ZdS:c8y93KQjy7G55riF1cMo03PS
Score
9/10
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 4 IoCs
resource yara_rule behavioral1/memory/2232-1-0x0000000010000000-0x0000000010030000-memory.dmp UPX behavioral1/memory/2232-0-0x0000000010000000-0x0000000010030000-memory.dmp UPX behavioral1/memory/2232-2-0x0000000010000000-0x0000000010030000-memory.dmp UPX behavioral1/memory/2232-3-0x0000000010000000-0x0000000010030000-memory.dmp UPX -
resource yara_rule behavioral1/memory/2232-1-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2232-0-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2232-2-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2232-3-0x0000000010000000-0x0000000010030000-memory.dmp upx -
Program crash 1 IoCs
pid pid_target Process procid_target 2548 2232 WerFault.exe 28 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2232 rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2372 wrote to memory of 2232 2372 rundll32.exe 28 PID 2372 wrote to memory of 2232 2372 rundll32.exe 28 PID 2372 wrote to memory of 2232 2372 rundll32.exe 28 PID 2372 wrote to memory of 2232 2372 rundll32.exe 28 PID 2372 wrote to memory of 2232 2372 rundll32.exe 28 PID 2372 wrote to memory of 2232 2372 rundll32.exe 28 PID 2372 wrote to memory of 2232 2372 rundll32.exe 28 PID 2232 wrote to memory of 2548 2232 rundll32.exe 29 PID 2232 wrote to memory of 2548 2232 rundll32.exe 29 PID 2232 wrote to memory of 2548 2232 rundll32.exe 29 PID 2232 wrote to memory of 2548 2232 rundll32.exe 29
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6099efc294e4a3afca69f57409d4108609ba124fc2a9c727a4380037b1f87603.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6099efc294e4a3afca69f57409d4108609ba124fc2a9c727a4380037b1f87603.dll,#12⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 3323⤵
- Program crash
PID:2548
-
-