Analysis
-
max time kernel
110s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25/09/2024, 12:18
Behavioral task
behavioral1
Sample
a993723443ef8349edf383638f05b8ed564c4f5b2afab3a85eb0caed1958ee85N.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
a993723443ef8349edf383638f05b8ed564c4f5b2afab3a85eb0caed1958ee85N.dll
Resource
win10v2004-20240802-en
General
-
Target
a993723443ef8349edf383638f05b8ed564c4f5b2afab3a85eb0caed1958ee85N.dll
-
Size
76KB
-
MD5
4e708ac4f9bd5329dcd23d0413f16720
-
SHA1
e3f063c97230766de959ddb29858c677c686640c
-
SHA256
a993723443ef8349edf383638f05b8ed564c4f5b2afab3a85eb0caed1958ee85
-
SHA512
5a15a319eb953f30370c175d159f62184abdeeb51c3bba978ce674e7c2502213a83765afaa4025f6354d44c3bbb0dc5cd1c6aa7705cadcee34b0587f14eb7dc3
-
SSDEEP
1536:YjV8y93KQpFQmPLRk7G50zy/riF12jvRyo0hQk7ZoDL/YgGyZMn:c8y93KQjy7G55riF1cMo03WDL/Ygl2n
Malware Config
Signatures
-
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
resource yara_rule behavioral1/memory/1692-2-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/1692-1-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/1692-0-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/1692-3-0x0000000010000000-0x0000000010030000-memory.dmp upx -
Program crash 1 IoCs
pid pid_target Process procid_target 1708 1692 WerFault.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1692 rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1680 wrote to memory of 1692 1680 rundll32.exe 30 PID 1680 wrote to memory of 1692 1680 rundll32.exe 30 PID 1680 wrote to memory of 1692 1680 rundll32.exe 30 PID 1680 wrote to memory of 1692 1680 rundll32.exe 30 PID 1680 wrote to memory of 1692 1680 rundll32.exe 30 PID 1680 wrote to memory of 1692 1680 rundll32.exe 30 PID 1680 wrote to memory of 1692 1680 rundll32.exe 30 PID 1692 wrote to memory of 1708 1692 rundll32.exe 31 PID 1692 wrote to memory of 1708 1692 rundll32.exe 31 PID 1692 wrote to memory of 1708 1692 rundll32.exe 31 PID 1692 wrote to memory of 1708 1692 rundll32.exe 31
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a993723443ef8349edf383638f05b8ed564c4f5b2afab3a85eb0caed1958ee85N.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a993723443ef8349edf383638f05b8ed564c4f5b2afab3a85eb0caed1958ee85N.dll,#12⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 3203⤵
- Program crash
PID:1708
-
-