Analysis
-
max time kernel
88s -
max time network
89s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
17-08-2024 00:45
Static task
static1
Behavioral task
behavioral1
Sample
c3aa95970aa264cdd6f238987bc6e5b0N.dll
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
c3aa95970aa264cdd6f238987bc6e5b0N.dll
Resource
win10v2004-20240802-en
General
-
Target
c3aa95970aa264cdd6f238987bc6e5b0N.dll
-
Size
950KB
-
MD5
c3aa95970aa264cdd6f238987bc6e5b0
-
SHA1
320060e4abec862fa4ae4196100df6fd344b1009
-
SHA256
72d834e83d86b30be875e5b3e952a8b718d2ffcc3ae45226045a07567dbc6442
-
SHA512
d184f3d011e2cc5cb27697af7f4a96dfd211cfb419c0caa63620178aba721ed73ce5e60c743fb1d97cb2442e084ac9c40f6d5193523b9ec95b2958ce829de443
-
SSDEEP
24576:uf2VfWlcKu6Gavkg3NydIbbbI4IBAUZLYUrEH7b:2uscKu6GaXUT4IBAUZLY3
Malware Config
Signatures
-
Detects Floxif payload 1 IoCs
Processes:
resource yara_rule behavioral2/files/0x00090000000233e3-1.dat floxif -
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule behavioral2/files/0x00090000000233e3-1.dat acprotect -
Loads dropped DLL 4 IoCs
Processes:
rundll32.exeWerFault.exeWerFault.exepid Process 3120 rundll32.exe 3120 rundll32.exe 4372 WerFault.exe 3824 WerFault.exe -
Processes:
resource yara_rule behavioral2/files/0x00090000000233e3-1.dat upx behavioral2/memory/3120-3-0x0000000002850000-0x0000000002880000-memory.dmp upx behavioral2/memory/3120-7-0x0000000002850000-0x0000000002880000-memory.dmp upx behavioral2/memory/3120-13-0x0000000002850000-0x0000000002880000-memory.dmp upx -
Drops file in Program Files directory 1 IoCs
Processes:
rundll32.exedescription ioc Process File created C:\Program Files\Common Files\System\symsrv.dll rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 3824 3120 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
rundll32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid Process Token: SeDebugPrivilege 3120 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid Process procid_target PID 4588 wrote to memory of 3120 4588 rundll32.exe 84 PID 4588 wrote to memory of 3120 4588 rundll32.exe 84 PID 4588 wrote to memory of 3120 4588 rundll32.exe 84
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c3aa95970aa264cdd6f238987bc6e5b0N.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c3aa95970aa264cdd6f238987bc6e5b0N.dll,#12⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3120 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 7003⤵
- Loads dropped DLL
- Program crash
PID:3824
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3120 -ip 31201⤵
- Loads dropped DLL
PID:4372
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
67KB
MD57574cf2c64f35161ab1292e2f532aabf
SHA114ba3fa927a06224dfe587014299e834def4644f
SHA256de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA5124db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab