Analysis
-
max time kernel
110s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
09-09-2024 22:46
Behavioral task
behavioral1
Sample
0c0f6d3102d9bffadbbbd7996d4cb270N.dll
Resource
win7-20240708-en
General
-
Target
0c0f6d3102d9bffadbbbd7996d4cb270N.dll
-
Size
76KB
-
MD5
0c0f6d3102d9bffadbbbd7996d4cb270
-
SHA1
000e384fa14be66d7c92c99a9ef6cdbebcd6d4cc
-
SHA256
8e3d8944eee22863fdd33e9f8ee7ffdcccbd21d2ab5de91e6d2ed3b421e56761
-
SHA512
eacd12bfb4d190b6710d2b63cfc531dbe66b601c0a551b0f81097af9c77eeb7a234d5f2ad11e4fadf89df5fb456baace7553e3310b1aa5b68b701c7e474aa947
-
SSDEEP
1536:YjV8y93KQpFQmPLRk7G50zy/riF12jvRyo0hQk7Z47MteqWlc:c8y93KQjy7G55riF1cMo03Tslc
Malware Config
Signatures
-
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Processes:
resource yara_rule behavioral1/memory/2152-2-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2152-1-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2152-3-0x0000000010000000-0x0000000010030000-memory.dmp upx -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2800 2152 WerFault.exe rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 2152 rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2672 wrote to memory of 2152 2672 rundll32.exe rundll32.exe PID 2672 wrote to memory of 2152 2672 rundll32.exe rundll32.exe PID 2672 wrote to memory of 2152 2672 rundll32.exe rundll32.exe PID 2672 wrote to memory of 2152 2672 rundll32.exe rundll32.exe PID 2672 wrote to memory of 2152 2672 rundll32.exe rundll32.exe PID 2672 wrote to memory of 2152 2672 rundll32.exe rundll32.exe PID 2672 wrote to memory of 2152 2672 rundll32.exe rundll32.exe PID 2152 wrote to memory of 2800 2152 rundll32.exe WerFault.exe PID 2152 wrote to memory of 2800 2152 rundll32.exe WerFault.exe PID 2152 wrote to memory of 2800 2152 rundll32.exe WerFault.exe PID 2152 wrote to memory of 2800 2152 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0c0f6d3102d9bffadbbbd7996d4cb270N.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0c0f6d3102d9bffadbbbd7996d4cb270N.dll,#12⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 3283⤵
- Program crash
PID:2800