Analysis
-
max time kernel
94s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
09-09-2024 14:37
Behavioral task
behavioral1
Sample
d531bba4c16965408be9f10b97b12800N.dll
Resource
win7-20240903-en
5 signatures
120 seconds
General
-
Target
d531bba4c16965408be9f10b97b12800N.dll
-
Size
76KB
-
MD5
d531bba4c16965408be9f10b97b12800
-
SHA1
9c6bef38455f0ef5cfc9183ee87ae3dfb980e956
-
SHA256
5302418c5529ec31a7782694bbef67712333b676f36881bfcb2a70807e2edf22
-
SHA512
3e6d314c39367a80193d2049fa2649a9fe96d58b15281099d410893bc18aaf014e088cd2058b9793c44ca187035c59753667b05c09e25e6ce587871e9cf690f7
-
SSDEEP
1536:YjV8y93KQpFQmPLRk7G50zy/riF12jvRyo0hQk7ZnmSsMS0FmH:c8y93KQjy7G55riF1cMo03Irb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/920-0-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/920-1-0x0000000010000000-0x0000000010030000-memory.dmp upx -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4056 920 WerFault.exe rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 920 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4880 wrote to memory of 920 4880 rundll32.exe rundll32.exe PID 4880 wrote to memory of 920 4880 rundll32.exe rundll32.exe PID 4880 wrote to memory of 920 4880 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d531bba4c16965408be9f10b97b12800N.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d531bba4c16965408be9f10b97b12800N.dll,#12⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:920 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 7123⤵
- Program crash
PID:4056
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 920 -ip 9201⤵PID:4216