Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
16-08-2024 21:12
Behavioral task
behavioral1
Sample
9e4eca2c84f9d446dbdad4808a156ec0N.dll
Resource
win7-20240705-en
5 signatures
120 seconds
General
-
Target
9e4eca2c84f9d446dbdad4808a156ec0N.dll
-
Size
76KB
-
MD5
9e4eca2c84f9d446dbdad4808a156ec0
-
SHA1
26254f201a60e8ba8feefe3009dbbcd2b3223a34
-
SHA256
d219aae81d0f44e7375d89f72a4b366347f7a278812fe87f2b2aee5f948ac5f2
-
SHA512
2071694fe66ab0ba90810be1eefc9f95856dbd52d5753df6c31b3cae4a7f7e639cd05543536f81da95e7aaa5848670283939fdd76ccdff5794d6d8f3ba9855b8
-
SSDEEP
1536:YjV8y93KQpFQmPLRk7G50zy/riF12jvRyo0hQk7ZnIx:c8y93KQjy7G55riF1cMo03VIx
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1788-0-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/1788-2-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/1788-1-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/1788-3-0x0000000010000000-0x0000000010030000-memory.dmp upx -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 1304 1788 WerFault.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
rundll32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid Process Token: SeDebugPrivilege 1788 rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid Process procid_target PID 2988 wrote to memory of 1788 2988 rundll32.exe 30 PID 2988 wrote to memory of 1788 2988 rundll32.exe 30 PID 2988 wrote to memory of 1788 2988 rundll32.exe 30 PID 2988 wrote to memory of 1788 2988 rundll32.exe 30 PID 2988 wrote to memory of 1788 2988 rundll32.exe 30 PID 2988 wrote to memory of 1788 2988 rundll32.exe 30 PID 2988 wrote to memory of 1788 2988 rundll32.exe 30 PID 1788 wrote to memory of 1304 1788 rundll32.exe 31 PID 1788 wrote to memory of 1304 1788 rundll32.exe 31 PID 1788 wrote to memory of 1304 1788 rundll32.exe 31 PID 1788 wrote to memory of 1304 1788 rundll32.exe 31
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9e4eca2c84f9d446dbdad4808a156ec0N.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9e4eca2c84f9d446dbdad4808a156ec0N.dll,#12⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 2723⤵
- Program crash
PID:1304
-
-