Analysis
-
max time kernel
62s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
10/06/2024, 22:40
Behavioral task
behavioral1
Sample
6099efc294e4a3afca69f57409d4108609ba124fc2a9c727a4380037b1f87603.dll
Resource
win7-20231129-en
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
6099efc294e4a3afca69f57409d4108609ba124fc2a9c727a4380037b1f87603.dll
Resource
win10v2004-20240508-en
6 signatures
150 seconds
General
-
Target
6099efc294e4a3afca69f57409d4108609ba124fc2a9c727a4380037b1f87603.dll
-
Size
76KB
-
MD5
5c393a405ea238348c8dbc74ff21ed68
-
SHA1
09ef0a70b3599823f5077fe7b3efd85363e00d58
-
SHA256
6099efc294e4a3afca69f57409d4108609ba124fc2a9c727a4380037b1f87603
-
SHA512
8f2d09670931fc51c695bbf4557655249a7589d0a19dda9278d9634e7306e67688d4ebc35077056dce7e8d1c771c042ab8c32b5a363d108ecee5bfa240e55b9f
-
SSDEEP
1536:YjV8y93KQpFQmPLRk7G50zy/riF12jvRyo0hQk7ZdS:c8y93KQjy7G55riF1cMo03PS
Score
9/10
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 2 IoCs
resource yara_rule behavioral2/memory/372-0-0x0000000010000000-0x0000000010030000-memory.dmp UPX behavioral2/memory/372-2-0x0000000010000000-0x0000000010030000-memory.dmp UPX -
Modifies AppInit DLL entries 2 TTPs
-
resource yara_rule behavioral2/memory/372-0-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/372-2-0x0000000010000000-0x0000000010030000-memory.dmp upx -
Program crash 1 IoCs
pid pid_target Process procid_target 3600 372 WerFault.exe 82 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 372 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 392 wrote to memory of 372 392 rundll32.exe 82 PID 392 wrote to memory of 372 392 rundll32.exe 82 PID 392 wrote to memory of 372 392 rundll32.exe 82
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6099efc294e4a3afca69f57409d4108609ba124fc2a9c727a4380037b1f87603.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6099efc294e4a3afca69f57409d4108609ba124fc2a9c727a4380037b1f87603.dll,#12⤵
- Suspicious use of AdjustPrivilegeToken
PID:372 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 372 -s 7123⤵
- Program crash
PID:3600
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 372 -ip 3721⤵PID:2264