Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
12-07-2024 13:45
Static task
static1
Behavioral task
behavioral1
Sample
Quotation-15-02-2021_PDF.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
Quotation-15-02-2021_PDF.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240705-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral5
Sample
0jxlr2n3sx9a9r.dll
Resource
win7-20240705-en
Behavioral task
behavioral6
Sample
0jxlr2n3sx9a9r.dll
Resource
win10v2004-20240709-en
General
-
Target
0jxlr2n3sx9a9r.dll
-
Size
13KB
-
MD5
9ec36c1f7989533c81de064104ea35ab
-
SHA1
9a9f608e7bf4e4f06e4804f7b132939d3ee5654d
-
SHA256
238727a5364853abf73decbd56c4c1e3f3906060e802352b547a296e34dd3646
-
SHA512
bfb31fd814d2069cf529297c9c4ec4b8d6480012ccbc8f0ea013ce750705d953e47f00f6fa625b95c94c1bcde6763612a6055f91a35428eed0f1e16c6b1bb2e7
-
SSDEEP
192:hRg35IFoT8RdxD2I9fWJDbHifEePOZEyIDcseAFMbUsE80I/uCg:IIbCMedaBQ3sfFMZE806
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\name = "C:\\Users\\Admin\\AppData\\Roaming\\folder\\file.exe" rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3444 1220 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
rundll32.exepid process 1220 rundll32.exe 1220 rundll32.exe 1220 rundll32.exe 1220 rundll32.exe 1220 rundll32.exe 1220 rundll32.exe 1220 rundll32.exe 1220 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 2912 wrote to memory of 1220 2912 rundll32.exe rundll32.exe PID 2912 wrote to memory of 1220 2912 rundll32.exe rundll32.exe PID 2912 wrote to memory of 1220 2912 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0jxlr2n3sx9a9r.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0jxlr2n3sx9a9r.dll,#12⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:1220 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1220 -s 7363⤵
- Program crash
PID:3444
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1220 -ip 12201⤵PID:2056