Overview

overview

10

Static

static

3

QUOTATION.exe

windows7-x64

10

QUOTATION.exe

windows10-2004-x64

7

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

k08cwjcrlzilk8t.dll

windows7-x64

6

k08cwjcrlzilk8t.dll

windows10-2004-x64

6

Analysis

  • max time kernel
    135s
  • max time network
    104s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-08-2024 00:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    k08cwjcrlzilk8t.dll

  • Size

    13KB

  • MD5

    05ad6c2690084ff9cc4ff14b455b781e

  • SHA1

    9b0ff8da652e83aa675bfc5fd7d5c9173d134509

  • SHA256

    97de472526c14080264663f4b729df51c4208a1e37d190a0412076a682f0aa7b

  • SHA512

    e48f4b3ac853d6669f5e9f2dd7516eb268941f50189e6f99a7d5f4ef9bab88709bc6c9c02267e6f61659dba50c67163481376c3cb6d4e5bc7a6641f15b9e309e

  • SSDEEP

    192:hMvg35NXh2oeh05mdX7zAnMVm8j5Ykrx/FTwB72yUnbcpAY05ASxVkEw6ZIYNQ:hM8X2/Dhvp7Bx/K4bcpgASEE3ZlN

Score
6/10
discoverypersistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\k08cwjcrlzilk8t.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3956
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\k08cwjcrlzilk8t.dll,#1
      2⤵
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2608
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2608 -s 740
        3⤵
        • Program crash
        PID:4436
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2608 -ip 2608
    1⤵
      PID:2452

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2608-0-0x0000000074D90000-0x0000000074D98000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2608-2-0x0000000074D90000-0x0000000074D98000-memory.dmp

      Filesize

      32KB

      Download