Analysis
-
max time kernel
95s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19-09-2024 14:43
Behavioral task
behavioral1
Sample
d53b12f422a463bf4006875933fb3336b580078f247e4c661571fe83154bf31b.dll
Resource
win7-20240903-en
windows7-x64
16 signatures
150 seconds
General
-
Target
d53b12f422a463bf4006875933fb3336b580078f247e4c661571fe83154bf31b.dll
-
Size
437KB
-
MD5
893ffac5398d65b1e17378527553d513
-
SHA1
5dcda28ef8b4582f3072b1d50bad4e9de36eb21e
-
SHA256
d53b12f422a463bf4006875933fb3336b580078f247e4c661571fe83154bf31b
-
SHA512
ff0f92e3961cefb14198abaa2d5f2bbab3eb7a1540116d3aa731da248bf98e790f77f29396a82669435f4f156f997c35b3f60cc4b2becd5a882677144a083dae
-
SSDEEP
6144:bas0ZLc/IJvCklIqA8mvHwgnHJp9OWqw7zsK0bencTpX4KtjY5Jt/lt0zwzOu6WX:gBFJqk2q1g5ppemr0bAKoNfnQCSWpoSN
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 20 IoCs
description pid Process procid_target PID 684 created 612 684 rundll32.exe 5 PID 684 created 612 684 rundll32.exe 5 PID 684 created 612 684 rundll32.exe 5 PID 684 created 612 684 rundll32.exe 5 PID 684 created 612 684 rundll32.exe 5 PID 684 created 612 684 rundll32.exe 5 PID 684 created 612 684 rundll32.exe 5 PID 684 created 612 684 rundll32.exe 5 PID 684 created 612 684 rundll32.exe 5 PID 684 created 612 684 rundll32.exe 5 PID 684 created 612 684 rundll32.exe 5 PID 684 created 612 684 rundll32.exe 5 PID 684 created 612 684 rundll32.exe 5 PID 684 created 612 684 rundll32.exe 5 PID 684 created 612 684 rundll32.exe 5 PID 684 created 612 684 rundll32.exe 5 PID 684 created 612 684 rundll32.exe 5 PID 684 created 612 684 rundll32.exe 5 PID 684 created 612 684 rundll32.exe 5 PID 684 created 612 684 rundll32.exe 5 -
resource yara_rule behavioral2/memory/684-0-0x0000000010000000-0x00000000100A6000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 684 rundll32.exe 684 rundll32.exe 684 rundll32.exe 684 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
description pid Process Token: SeDebugPrivilege 684 rundll32.exe Token: SeDebugPrivilege 684 rundll32.exe Token: SeDebugPrivilege 684 rundll32.exe Token: SeDebugPrivilege 684 rundll32.exe Token: SeDebugPrivilege 684 rundll32.exe Token: SeDebugPrivilege 684 rundll32.exe Token: SeDebugPrivilege 684 rundll32.exe Token: SeDebugPrivilege 684 rundll32.exe Token: SeDebugPrivilege 684 rundll32.exe Token: SeDebugPrivilege 684 rundll32.exe Token: SeDebugPrivilege 684 rundll32.exe Token: SeDebugPrivilege 684 rundll32.exe Token: SeDebugPrivilege 684 rundll32.exe Token: SeDebugPrivilege 684 rundll32.exe Token: SeDebugPrivilege 684 rundll32.exe Token: SeDebugPrivilege 684 rundll32.exe Token: SeDebugPrivilege 684 rundll32.exe Token: SeDebugPrivilege 684 rundll32.exe Token: SeDebugPrivilege 684 rundll32.exe Token: SeDebugPrivilege 684 rundll32.exe -
Suspicious use of WriteProcessMemory 63 IoCs
description pid Process procid_target PID 3136 wrote to memory of 684 3136 rundll32.exe 82 PID 3136 wrote to memory of 684 3136 rundll32.exe 82 PID 3136 wrote to memory of 684 3136 rundll32.exe 82 PID 684 wrote to memory of 4888 684 rundll32.exe 83 PID 684 wrote to memory of 4888 684 rundll32.exe 83 PID 684 wrote to memory of 4888 684 rundll32.exe 83 PID 684 wrote to memory of 1496 684 rundll32.exe 84 PID 684 wrote to memory of 1496 684 rundll32.exe 84 PID 684 wrote to memory of 1496 684 rundll32.exe 84 PID 684 wrote to memory of 2892 684 rundll32.exe 85 PID 684 wrote to memory of 2892 684 rundll32.exe 85 PID 684 wrote to memory of 2892 684 rundll32.exe 85 PID 684 wrote to memory of 3272 684 rundll32.exe 86 PID 684 wrote to memory of 3272 684 rundll32.exe 86 PID 684 wrote to memory of 3272 684 rundll32.exe 86 PID 684 wrote to memory of 1528 684 rundll32.exe 87 PID 684 wrote to memory of 1528 684 rundll32.exe 87 PID 684 wrote to memory of 1528 684 rundll32.exe 87 PID 684 wrote to memory of 2028 684 rundll32.exe 88 PID 684 wrote to memory of 2028 684 rundll32.exe 88 PID 684 wrote to memory of 2028 684 rundll32.exe 88 PID 684 wrote to memory of 3496 684 rundll32.exe 89 PID 684 wrote to memory of 3496 684 rundll32.exe 89 PID 684 wrote to memory of 3496 684 rundll32.exe 89 PID 684 wrote to memory of 1432 684 rundll32.exe 90 PID 684 wrote to memory of 1432 684 rundll32.exe 90 PID 684 wrote to memory of 1432 684 rundll32.exe 90 PID 684 wrote to memory of 4636 684 rundll32.exe 91 PID 684 wrote to memory of 4636 684 rundll32.exe 91 PID 684 wrote to memory of 4636 684 rundll32.exe 91 PID 684 wrote to memory of 1600 684 rundll32.exe 92 PID 684 wrote to memory of 1600 684 rundll32.exe 92 PID 684 wrote to memory of 1600 684 rundll32.exe 92 PID 684 wrote to memory of 3580 684 rundll32.exe 93 PID 684 wrote to memory of 3580 684 rundll32.exe 93 PID 684 wrote to memory of 3580 684 rundll32.exe 93 PID 684 wrote to memory of 2304 684 rundll32.exe 94 PID 684 wrote to memory of 2304 684 rundll32.exe 94 PID 684 wrote to memory of 2304 684 rundll32.exe 94 PID 684 wrote to memory of 2500 684 rundll32.exe 95 PID 684 wrote to memory of 2500 684 rundll32.exe 95 PID 684 wrote to memory of 2500 684 rundll32.exe 95 PID 684 wrote to memory of 3428 684 rundll32.exe 96 PID 684 wrote to memory of 3428 684 rundll32.exe 96 PID 684 wrote to memory of 3428 684 rundll32.exe 96 PID 684 wrote to memory of 1608 684 rundll32.exe 97 PID 684 wrote to memory of 1608 684 rundll32.exe 97 PID 684 wrote to memory of 1608 684 rundll32.exe 97 PID 684 wrote to memory of 4632 684 rundll32.exe 98 PID 684 wrote to memory of 4632 684 rundll32.exe 98 PID 684 wrote to memory of 4632 684 rundll32.exe 98 PID 684 wrote to memory of 4664 684 rundll32.exe 99 PID 684 wrote to memory of 4664 684 rundll32.exe 99 PID 684 wrote to memory of 4664 684 rundll32.exe 99 PID 684 wrote to memory of 1100 684 rundll32.exe 100 PID 684 wrote to memory of 1100 684 rundll32.exe 100 PID 684 wrote to memory of 1100 684 rundll32.exe 100 PID 684 wrote to memory of 2772 684 rundll32.exe 101 PID 684 wrote to memory of 2772 684 rundll32.exe 101 PID 684 wrote to memory of 2772 684 rundll32.exe 101 PID 684 wrote to memory of 3148 684 rundll32.exe 102 PID 684 wrote to memory of 3148 684 rundll32.exe 102 PID 684 wrote to memory of 3148 684 rundll32.exe 102
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:612
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted2⤵PID:4888
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted2⤵PID:1496
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted2⤵PID:2892
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted2⤵PID:3272
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted2⤵PID:1528
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted2⤵PID:2028
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted2⤵PID:3496
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted2⤵PID:1432
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted2⤵PID:4636
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted2⤵PID:1600
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted2⤵PID:3580
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted2⤵PID:2304
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted2⤵PID:2500
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted2⤵PID:3428
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted2⤵PID:1608
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted2⤵PID:4632
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted2⤵PID:4664
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted2⤵PID:1100
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted2⤵PID:2772
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted2⤵PID:3148
-
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d53b12f422a463bf4006875933fb3336b580078f247e4c661571fe83154bf31b.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3136 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d53b12f422a463bf4006875933fb3336b580078f247e4c661571fe83154bf31b.dll,#12⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:684
-