Analysis
-
max time kernel
141s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
16-09-2024 18:22
Static task
static1
Behavioral task
behavioral1
Sample
AdbWinApi.dll
Resource
win7-20240708-en
General
-
Target
AdbWinApi.dll
-
Size
182KB
-
MD5
cdba2b25b83a99889e1b81dfaeca4ce2
-
SHA1
87002bdefb59fcc80840d0051e75ba6b621c711f
-
SHA256
585a3c061b60f6611d4bb5204ad23f3f63ed9ab428a5068c30135b626b9ec8de
-
SHA512
83e9a81c0f5b7ee46197586f0f76eb3df4c3aa3fc8d94f4fcc9f45fa5bbbaf835740d90a678a9d0504fca3332b87b1bd346c5199da22351d2b0b1cee6be98846
-
SSDEEP
3072:PwqDuL8Tr5lzq0et+ui1yEk2lQBV+UdE+rECWp7hKwzk:oq28RMJLBV+UdvrEFp7hK+k
Malware Config
Signatures
-
Detects Floxif payload 1 IoCs
resource yara_rule behavioral1/files/0x000a0000000120d5-1.dat floxif -
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x000a0000000120d5-1.dat acprotect -
Loads dropped DLL 2 IoCs
pid Process 1128 rundll32.exe 2176 WerFault.exe -
resource yara_rule behavioral1/files/0x000a0000000120d5-1.dat upx behavioral1/memory/1128-3-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/1128-7-0x0000000010000000-0x0000000010030000-memory.dmp upx -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\Common Files\System\symsrv.dll rundll32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2176 1128 WerFault.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1128 rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2568 wrote to memory of 1128 2568 rundll32.exe 30 PID 2568 wrote to memory of 1128 2568 rundll32.exe 30 PID 2568 wrote to memory of 1128 2568 rundll32.exe 30 PID 2568 wrote to memory of 1128 2568 rundll32.exe 30 PID 2568 wrote to memory of 1128 2568 rundll32.exe 30 PID 2568 wrote to memory of 1128 2568 rundll32.exe 30 PID 2568 wrote to memory of 1128 2568 rundll32.exe 30 PID 1128 wrote to memory of 2176 1128 rundll32.exe 31 PID 1128 wrote to memory of 2176 1128 rundll32.exe 31 PID 1128 wrote to memory of 2176 1128 rundll32.exe 31 PID 1128 wrote to memory of 2176 1128 rundll32.exe 31
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\AdbWinApi.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\AdbWinApi.dll,#12⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 3003⤵
- Loads dropped DLL
- Program crash
PID:2176
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
67KB
MD57574cf2c64f35161ab1292e2f532aabf
SHA114ba3fa927a06224dfe587014299e834def4644f
SHA256de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA5124db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab