Analysis
-
max time kernel
110s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02-10-2024 21:21
Static task
static1
Behavioral task
behavioral1
Sample
65fa9ba6cc3ff61c8361471a460236584fd0ade87986c78383a2e37015b87047N.dll
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
65fa9ba6cc3ff61c8361471a460236584fd0ade87986c78383a2e37015b87047N.dll
Resource
win10v2004-20240802-en
General
-
Target
65fa9ba6cc3ff61c8361471a460236584fd0ade87986c78383a2e37015b87047N.dll
-
Size
24KB
-
MD5
fdbca8ad3f3b31dc191fadf33bf1b8e0
-
SHA1
97caea80f578b3d5cd275fd76e73202686bce3a0
-
SHA256
65fa9ba6cc3ff61c8361471a460236584fd0ade87986c78383a2e37015b87047
-
SHA512
a007ed64f4a0e1dc4668b89c3fe46425872ce5bb5b8bf46d49ce770383b2ca09b8ab63131a7083ad179a6ca47471a9ee49b101fcf179ee89aac0797b1300a18f
-
SSDEEP
384:uRCJ8mkOMEPbqqCs3iMsk3HXqBH5Wk8hNwK5jBk5Yma8wbJ7cXGKwPRQpqdwcpew:PJ5zdDxF3OkHXqR5WkiNwck6peXGKISK
Malware Config
Signatures
-
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\clbcatq.dll1351992000 rundll32.exe File opened for modification C:\Windows\linkinfo.dll1835307975 rundll32.exe File created C:\Windows\linkinfo.dll rundll32.exe File created C:\Windows\twain_86.dll rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4796 wrote to memory of 4804 4796 rundll32.exe 81 PID 4796 wrote to memory of 4804 4796 rundll32.exe 81 PID 4796 wrote to memory of 4804 4796 rundll32.exe 81
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\65fa9ba6cc3ff61c8361471a460236584fd0ade87986c78383a2e37015b87047N.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\65fa9ba6cc3ff61c8361471a460236584fd0ade87986c78383a2e37015b87047N.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4804
-