Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
11/06/2024, 01:04
Behavioral task
behavioral1
Sample
9b8333d4e8e160f2ff803411b82fa7ff3340d61e2c80feb425000e5ed80ffe59.dll
Resource
win7-20240221-en
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
9b8333d4e8e160f2ff803411b82fa7ff3340d61e2c80feb425000e5ed80ffe59.dll
Resource
win10v2004-20240508-en
5 signatures
150 seconds
General
-
Target
9b8333d4e8e160f2ff803411b82fa7ff3340d61e2c80feb425000e5ed80ffe59.dll
-
Size
76KB
-
MD5
f089bda47687afe1c3342e67329b2b69
-
SHA1
1909d310e428aaae7fe3944bc4e29ee94b3ca78c
-
SHA256
9b8333d4e8e160f2ff803411b82fa7ff3340d61e2c80feb425000e5ed80ffe59
-
SHA512
d7f98c038ea1a7a529a5b2b241251194a1dee92a9578c921c69dd2479506e959113780178bb9086b5c774d8ccd5f8864c0629026eb87f83c2b5efb2a32c95581
-
SSDEEP
1536:YjV8y93KQpFQmPLRk7G50zy/riF12jvRyo0hQk7ZmT2l:c8y93KQjy7G55riF1cMo03gql
Score
9/10
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 2 IoCs
resource yara_rule behavioral2/memory/4220-0-0x0000000010000000-0x0000000010030000-memory.dmp UPX behavioral2/memory/4220-1-0x0000000010000000-0x0000000010030000-memory.dmp UPX -
resource yara_rule behavioral2/memory/4220-0-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/4220-1-0x0000000010000000-0x0000000010030000-memory.dmp upx -
Program crash 1 IoCs
pid pid_target Process procid_target 3592 4220 WerFault.exe 80 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4220 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4480 wrote to memory of 4220 4480 rundll32.exe 80 PID 4480 wrote to memory of 4220 4480 rundll32.exe 80 PID 4480 wrote to memory of 4220 4480 rundll32.exe 80
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9b8333d4e8e160f2ff803411b82fa7ff3340d61e2c80feb425000e5ed80ffe59.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9b8333d4e8e160f2ff803411b82fa7ff3340d61e2c80feb425000e5ed80ffe59.dll,#12⤵
- Suspicious use of AdjustPrivilegeToken
PID:4220 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4220 -s 7123⤵
- Program crash
PID:3592
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4220 -ip 42201⤵PID:4504