Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
10-07-2024 15:07
Static task
static1
Behavioral task
behavioral1
Sample
COMANDA URGENTA.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
COMANDA URGENTA.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240704-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240709-en
General
-
Target
$PLUGINSDIR/nsExec.dll
-
Size
6KB
-
MD5
fdee755c4987e9859e0eec130ee22efd
-
SHA1
ba32823881a98da6b92eee1d866be2b3a20c6e5d
-
SHA256
e18984e78d58b2383f2c1e8ed0000088ee8d9d469345383618f179176fcddff6
-
SHA512
31ba3dad22fd9b78ab3f6017c4373c923d048cf0c010900a131c4533ef185d408a88052aa4cf6184dbe484d44aab9cfa94a052185cf0b9ad19286ed921e4723f
-
SSDEEP
96:ft4Vl/7Lo1UBrob9ljNEUgD7cyuM1x9XkraK2A2KAB5VVDyssKZ:ft4Vlw1Iul5J8T1vK20I5VVGsb
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 652 612 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 320 wrote to memory of 612 320 rundll32.exe rundll32.exe PID 320 wrote to memory of 612 320 rundll32.exe rundll32.exe PID 320 wrote to memory of 612 320 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#12⤵PID:612
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 612 -s 6123⤵
- Program crash
PID:652
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 612 -ip 6121⤵PID:4016