Analysis
-
max time kernel
136s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20-08-2024 03:44
Static task
static1
Behavioral task
behavioral1
Sample
2021FI30005.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
2021FI30005.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
3qk9.dll
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
3qk9.dll
Resource
win10v2004-20240802-en
General
-
Target
3qk9.dll
-
Size
10KB
-
MD5
8f9290de28c93e280c387b72adf45543
-
SHA1
305b45d1ca5d6de308cdc76796548a04ec677a98
-
SHA256
75597e1e381141f1606bf96c2b7a6c5b7eb1fa3ea65e37152bdb305155776192
-
SHA512
7c4694b53e8ad79fc78d5044528026ca3d000434a8b0121b89bfc1335c97b0a242774ed4d96b7a777fd65f034ef1a18d656dbe27967d616157912afe372a49db
-
SSDEEP
192:WlnU0vJoAyHzUrI95m2XaM4GGI2gcfo+wZjmqT/:WlFyTUQ5m2K1GPHcDvc
Malware Config
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 552 4548 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4548 rundll32.exe 4548 rundll32.exe 4548 rundll32.exe 4548 rundll32.exe 4548 rundll32.exe 4548 rundll32.exe 4548 rundll32.exe 4548 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3604 wrote to memory of 4548 3604 rundll32.exe 84 PID 3604 wrote to memory of 4548 3604 rundll32.exe 84 PID 3604 wrote to memory of 4548 3604 rundll32.exe 84
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3qk9.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3qk9.dll,#12⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4548 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 6723⤵
- Program crash
PID:552
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4548 -ip 45481⤵PID:4968