Analysis
-
max time kernel
115s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
16-09-2024 12:08
Behavioral task
behavioral1
Sample
TrojanDropper.Win32.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
TrojanDropper.Win32.dll
Resource
win10v2004-20240802-en
General
-
Target
TrojanDropper.Win32.dll
-
Size
80KB
-
MD5
da876b1ccfc32e48447fb2bcd97d7100
-
SHA1
caa2d84d33c8701408dbb04aa50929ec0cb39982
-
SHA256
881fa82e7cd7a08691f6d8795c37e3edf2d9c134ee1dc01d3251775a0f04c503
-
SHA512
8236977145e3419ede6c56d53be466376064ab94a888ad41309884080922892475bc13f3b1767f421241d89716cc2f7a853e3df27cc76dd7b838f8e53077b646
-
SSDEEP
1536:5POOhfbOjovgdVydUgoNrwBZXGDaZ1QIxrfItMgR7ZaO+fGxHZPEZ9lpy:5dbwovEVyqgoZmZXWfIdQdRaefPslE
Malware Config
Signatures
-
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
resource yara_rule behavioral2/memory/3536-0-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral2/memory/3536-2-0x0000000010000000-0x0000000010033000-memory.dmp upx -
pid Process 3488 arp.exe 2628 arp.exe 4156 arp.exe 1592 arp.exe 2316 arp.exe 1764 arp.exe 4044 arp.exe 4836 arp.exe 2776 arp.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3032 3536 WerFault.exe 89 -
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3536 rundll32.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 4912 wrote to memory of 3536 4912 rundll32.exe 89 PID 4912 wrote to memory of 3536 4912 rundll32.exe 89 PID 4912 wrote to memory of 3536 4912 rundll32.exe 89 PID 3536 wrote to memory of 1592 3536 rundll32.exe 91 PID 3536 wrote to memory of 1592 3536 rundll32.exe 91 PID 3536 wrote to memory of 1592 3536 rundll32.exe 91 PID 3536 wrote to memory of 4156 3536 rundll32.exe 94 PID 3536 wrote to memory of 4156 3536 rundll32.exe 94 PID 3536 wrote to memory of 4156 3536 rundll32.exe 94 PID 3536 wrote to memory of 2628 3536 rundll32.exe 95 PID 3536 wrote to memory of 2628 3536 rundll32.exe 95 PID 3536 wrote to memory of 2628 3536 rundll32.exe 95 PID 3536 wrote to memory of 3488 3536 rundll32.exe 96 PID 3536 wrote to memory of 3488 3536 rundll32.exe 96 PID 3536 wrote to memory of 3488 3536 rundll32.exe 96 PID 3536 wrote to memory of 2776 3536 rundll32.exe 97 PID 3536 wrote to memory of 2776 3536 rundll32.exe 97 PID 3536 wrote to memory of 2776 3536 rundll32.exe 97 PID 3536 wrote to memory of 4836 3536 rundll32.exe 98 PID 3536 wrote to memory of 4836 3536 rundll32.exe 98 PID 3536 wrote to memory of 4836 3536 rundll32.exe 98 PID 3536 wrote to memory of 4044 3536 rundll32.exe 99 PID 3536 wrote to memory of 4044 3536 rundll32.exe 99 PID 3536 wrote to memory of 4044 3536 rundll32.exe 99 PID 3536 wrote to memory of 1764 3536 rundll32.exe 100 PID 3536 wrote to memory of 1764 3536 rundll32.exe 100 PID 3536 wrote to memory of 1764 3536 rundll32.exe 100 PID 3536 wrote to memory of 2316 3536 rundll32.exe 101 PID 3536 wrote to memory of 2316 3536 rundll32.exe 101 PID 3536 wrote to memory of 2316 3536 rundll32.exe 101
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\TrojanDropper.Win32.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\TrojanDropper.Win32.dll,#12⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Windows\SysWOW64\arp.exearp -a3⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:1592
-
-
C:\Windows\SysWOW64\arp.exearp -s 10.127.0.1 4a-1f-70-1d-31-193⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:4156
-
-
C:\Windows\SysWOW64\arp.exearp -s 10.127.255.255 63-08-c0-75-15-913⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:2628
-
-
C:\Windows\SysWOW64\arp.exearp -s 37.27.61.184 c9-79-91-4c-eb-ae3⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:3488
-
-
C:\Windows\SysWOW64\arp.exearp -s 224.0.0.22 27-c5-98-c9-bd-2c3⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:2776
-
-
C:\Windows\SysWOW64\arp.exearp -s 224.0.0.251 5c-99-9d-00-a3-343⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:4836
-
-
C:\Windows\SysWOW64\arp.exearp -s 224.0.0.252 43-ee-ab-06-36-5c3⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:4044
-
-
C:\Windows\SysWOW64\arp.exearp -s 239.255.255.250 c2-25-83-a6-86-d93⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:1764
-
-
C:\Windows\SysWOW64\arp.exearp -s 255.255.255.255 b4-e9-28-57-96-d33⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:2316
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3536 -s 7043⤵
- Program crash
PID:3032
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3536 -ip 35361⤵PID:3476
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3032,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=4440 /prefetch:81⤵PID:4024