Analysis
-
max time kernel
102s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
16-08-2024 21:12
Behavioral task
behavioral1
Sample
9e4eca2c84f9d446dbdad4808a156ec0N.dll
Resource
win7-20240705-en
5 signatures
120 seconds
General
-
Target
9e4eca2c84f9d446dbdad4808a156ec0N.dll
-
Size
76KB
-
MD5
9e4eca2c84f9d446dbdad4808a156ec0
-
SHA1
26254f201a60e8ba8feefe3009dbbcd2b3223a34
-
SHA256
d219aae81d0f44e7375d89f72a4b366347f7a278812fe87f2b2aee5f948ac5f2
-
SHA512
2071694fe66ab0ba90810be1eefc9f95856dbd52d5753df6c31b3cae4a7f7e639cd05543536f81da95e7aaa5848670283939fdd76ccdff5794d6d8f3ba9855b8
-
SSDEEP
1536:YjV8y93KQpFQmPLRk7G50zy/riF12jvRyo0hQk7ZnIx:c8y93KQjy7G55riF1cMo03VIx
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/4656-0-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/4656-1-0x0000000010000000-0x0000000010030000-memory.dmp upx -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 2948 4656 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
rundll32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid Process Token: SeDebugPrivilege 4656 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid Process procid_target PID 5008 wrote to memory of 4656 5008 rundll32.exe 84 PID 5008 wrote to memory of 4656 5008 rundll32.exe 84 PID 5008 wrote to memory of 4656 5008 rundll32.exe 84
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9e4eca2c84f9d446dbdad4808a156ec0N.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9e4eca2c84f9d446dbdad4808a156ec0N.dll,#12⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4656 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 7163⤵
- Program crash
PID:2948
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4656 -ip 46561⤵PID:3808