Analysis
-
max time kernel
117s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09-10-2024 08:59
Static task
static1
Behavioral task
behavioral1
Sample
BOLETO.PDF91235.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
BOLETO.PDF91235.dll
Resource
win10v2004-20241007-en
General
-
Target
BOLETO.PDF91235.dll
-
Size
908KB
-
MD5
0b0e35589e88331cea0a61aa928b4a63
-
SHA1
488fefead26edc92a81d3e24c5360a7bd21f5946
-
SHA256
46877de18cee161794aec4fe9e46e2983847474d58023ff4f21a5256c9ee4703
-
SHA512
6a72645bf36deb47aad5f7101750be923a8c76a3d79991f030f6543833dcf4607b545281e83c90b2240349f78c26409bd5b76a58a4c06894b37930250af43705
-
SSDEEP
12288:8RU+PnumcrlCE4aaQN+CULU52eQMalnTLfNz36VQJwT6X888888888888W88888P:kEhn4aaQNHaK2eQXpl36VbT6
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1924 wrote to memory of 1624 1924 rundll32.exe 31 PID 1924 wrote to memory of 1624 1924 rundll32.exe 31 PID 1924 wrote to memory of 1624 1924 rundll32.exe 31 PID 1924 wrote to memory of 1624 1924 rundll32.exe 31 PID 1924 wrote to memory of 1624 1924 rundll32.exe 31 PID 1924 wrote to memory of 1624 1924 rundll32.exe 31 PID 1924 wrote to memory of 1624 1924 rundll32.exe 31
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\BOLETO.PDF91235.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\BOLETO.PDF91235.dll,#12⤵
- System Location Discovery: System Language Discovery
PID:1624
-