Analysis
-
max time kernel
114s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
09-09-2024 15:21
Static task
static1
Behavioral task
behavioral1
Sample
ade12726d39e018b7b2af09137a73fb0N.dll
Resource
win7-20240708-en
General
-
Target
ade12726d39e018b7b2af09137a73fb0N.dll
-
Size
188KB
-
MD5
ade12726d39e018b7b2af09137a73fb0
-
SHA1
34669aeb41693ae975fad2074cbcaf5856e25751
-
SHA256
0ab8f09cb702eea4c4002ede82481a68fa9b66320d28f6031d1a9c848bae9732
-
SHA512
b1744a62d4833a847e00c0893d29c9c2f8fbd185f684f385362fe434d169bd3a4b75323682bd5399545eee62528cb471e1d8c8e9be0937b3190bff2e68d039ab
-
SSDEEP
3072:5dhYpssqPC4gDbteUuH0InaCyhwhOtXWpit52lQBV+UdE+rECWp7hKOFU:5jY2Fq55uH0iyhwhOtX+UBV+UdvrEFpE
Malware Config
Signatures
-
Detects Floxif payload 1 IoCs
Processes:
resource yara_rule C:\Program Files\Common Files\System\symsrv.dll floxif -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule C:\Program Files\Common Files\System\symsrv.dll acprotect -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 3120 rundll32.exe -
Processes:
resource yara_rule C:\Program Files\Common Files\System\symsrv.dll upx behavioral2/memory/3120-4-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/3120-5-0x0000000010000000-0x0000000010030000-memory.dmp upx -
Drops file in Program Files directory 1 IoCs
Processes:
rundll32.exedescription ioc process File created C:\Program Files\Common Files\System\symsrv.dll rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 3120 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 820 wrote to memory of 3120 820 rundll32.exe rundll32.exe PID 820 wrote to memory of 3120 820 rundll32.exe rundll32.exe PID 820 wrote to memory of 3120 820 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ade12726d39e018b7b2af09137a73fb0N.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ade12726d39e018b7b2af09137a73fb0N.dll,#12⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3120
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
67KB
MD57574cf2c64f35161ab1292e2f532aabf
SHA114ba3fa927a06224dfe587014299e834def4644f
SHA256de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA5124db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab