Analysis
-
max time kernel
105s -
max time network
110s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
16-08-2024 02:31
Behavioral task
behavioral1
Sample
bb0d1e8f3446f47e4cd59abfb08af930N.dll
Resource
win7-20240705-en
10 signatures
120 seconds
General
-
Target
bb0d1e8f3446f47e4cd59abfb08af930N.dll
-
Size
80KB
-
MD5
bb0d1e8f3446f47e4cd59abfb08af930
-
SHA1
3605a8d0748e0135cd3cef9c85fe7a36fa64de2d
-
SHA256
c8e55a8562af00cbc28c55b00beaf6a9bcf8d0b2187044df97eaef3fe0638731
-
SHA512
e57f4dfe24656ba4952a8771bbbc0314107dd350deffc17d51145909bf99e80be1dab0b9762d0037440e588d74de24fbd6fd611245c98ded8db79a2748008809
-
SSDEEP
1536:5POOhfbOjovgdVydUgoNrwBZXGDaZ1QIxrfItMgR7ZaO+fGxHZPE47:5dbwovEVyqgoZmZXWfIdQdRaefPN7
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/4056-0-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral2/memory/4056-2-0x0000000010000000-0x0000000010033000-memory.dmp upx -
pid Process 2484 arp.exe 2264 arp.exe 2124 arp.exe 212 arp.exe 4928 arp.exe 1020 arp.exe 4620 arp.exe 3456 arp.exe 2536 arp.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2012 4056 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4056 rundll32.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 1804 wrote to memory of 4056 1804 rundll32.exe 84 PID 1804 wrote to memory of 4056 1804 rundll32.exe 84 PID 1804 wrote to memory of 4056 1804 rundll32.exe 84 PID 4056 wrote to memory of 2484 4056 rundll32.exe 86 PID 4056 wrote to memory of 2484 4056 rundll32.exe 86 PID 4056 wrote to memory of 2484 4056 rundll32.exe 86 PID 4056 wrote to memory of 2536 4056 rundll32.exe 89 PID 4056 wrote to memory of 2536 4056 rundll32.exe 89 PID 4056 wrote to memory of 2536 4056 rundll32.exe 89 PID 4056 wrote to memory of 212 4056 rundll32.exe 90 PID 4056 wrote to memory of 212 4056 rundll32.exe 90 PID 4056 wrote to memory of 212 4056 rundll32.exe 90 PID 4056 wrote to memory of 3456 4056 rundll32.exe 91 PID 4056 wrote to memory of 3456 4056 rundll32.exe 91 PID 4056 wrote to memory of 3456 4056 rundll32.exe 91 PID 4056 wrote to memory of 2124 4056 rundll32.exe 92 PID 4056 wrote to memory of 2124 4056 rundll32.exe 92 PID 4056 wrote to memory of 2124 4056 rundll32.exe 92 PID 4056 wrote to memory of 4620 4056 rundll32.exe 93 PID 4056 wrote to memory of 4620 4056 rundll32.exe 93 PID 4056 wrote to memory of 4620 4056 rundll32.exe 93 PID 4056 wrote to memory of 1020 4056 rundll32.exe 94 PID 4056 wrote to memory of 1020 4056 rundll32.exe 94 PID 4056 wrote to memory of 1020 4056 rundll32.exe 94 PID 4056 wrote to memory of 2264 4056 rundll32.exe 95 PID 4056 wrote to memory of 2264 4056 rundll32.exe 95 PID 4056 wrote to memory of 2264 4056 rundll32.exe 95 PID 4056 wrote to memory of 4928 4056 rundll32.exe 96 PID 4056 wrote to memory of 4928 4056 rundll32.exe 96 PID 4056 wrote to memory of 4928 4056 rundll32.exe 96
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bb0d1e8f3446f47e4cd59abfb08af930N.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bb0d1e8f3446f47e4cd59abfb08af930N.dll,#12⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\SysWOW64\arp.exearp -a3⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:2484
-
-
C:\Windows\SysWOW64\arp.exearp -s 10.127.0.1 aa-9a-69-f8-12-4f3⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:2536
-
-
C:\Windows\SysWOW64\arp.exearp -s 10.127.255.255 94-b0-67-48-20-003⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:212
-
-
C:\Windows\SysWOW64\arp.exearp -s 49.12.169.207 2b-44-ff-25-87-9f3⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:3456
-
-
C:\Windows\SysWOW64\arp.exearp -s 224.0.0.22 a5-78-f5-5b-c4-c23⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:2124
-
-
C:\Windows\SysWOW64\arp.exearp -s 224.0.0.251 20-93-36-45-d5-ee3⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:4620
-
-
C:\Windows\SysWOW64\arp.exearp -s 224.0.0.252 4c-43-e3-49-91-fb3⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:1020
-
-
C:\Windows\SysWOW64\arp.exearp -s 239.255.255.250 54-2a-a8-e1-76-a43⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:2264
-
-
C:\Windows\SysWOW64\arp.exearp -s 255.255.255.255 b1-13-29-fc-0b-3a3⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:4928
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 7083⤵
- Program crash
PID:2012
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4056 -ip 40561⤵PID:2492