Analysis
-
max time kernel
141s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-09-2024 23:48
Behavioral task
behavioral1
Sample
8d09b3505b185451ca9cf750e5d67c8ab9a82931ec9ae0c337d245f069581c21.dll
Resource
win7-20240903-en
General
-
Target
8d09b3505b185451ca9cf750e5d67c8ab9a82931ec9ae0c337d245f069581c21.dll
-
Size
76KB
-
MD5
26ede7774a97a19be3dbe58a94c39320
-
SHA1
84d64d465382931dbafdf7ebf43a0f7a9a56e9b7
-
SHA256
8d09b3505b185451ca9cf750e5d67c8ab9a82931ec9ae0c337d245f069581c21
-
SHA512
788c172e8d466169079746229754fd96f2920d9cf6869efb96988f22daca64c3f3e18e81005f6279b6d59eb65bcf11c1e497630e0924362b3af5f250c77ea4f8
-
SSDEEP
1536:YjV8y93KQpFQmPLRk7G50zy/riF12jvRyo0hQk7ZG8gYGH:c8y93KQjy7G55riF1cMo03Q8gYW
Malware Config
Signatures
-
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Processes:
resource yara_rule behavioral1/memory/2684-0-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2684-3-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2684-2-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2684-1-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2684-4-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2684-5-0x0000000010000000-0x0000000010030000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
rundll32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
rundll32.exepid Process 2684 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid Process Token: SeDebugPrivilege 2684 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid Process procid_target PID 2648 wrote to memory of 2684 2648 rundll32.exe 30 PID 2648 wrote to memory of 2684 2648 rundll32.exe 30 PID 2648 wrote to memory of 2684 2648 rundll32.exe 30 PID 2648 wrote to memory of 2684 2648 rundll32.exe 30 PID 2648 wrote to memory of 2684 2648 rundll32.exe 30 PID 2648 wrote to memory of 2684 2648 rundll32.exe 30 PID 2648 wrote to memory of 2684 2648 rundll32.exe 30
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8d09b3505b185451ca9cf750e5d67c8ab9a82931ec9ae0c337d245f069581c21.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8d09b3505b185451ca9cf750e5d67c8ab9a82931ec9ae0c337d245f069581c21.dll,#12⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2684
-