Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04/11/2024, 02:49
Static task
static1
Behavioral task
behavioral1
Sample
b9153c63ae5911dea43344aa7058e14dd2987652423e3178c5cc1e6cad4fc347.dll
Resource
win7-20240903-en
General
-
Target
b9153c63ae5911dea43344aa7058e14dd2987652423e3178c5cc1e6cad4fc347.dll
-
Size
16KB
-
MD5
7d2138c790b086d6f1183e12f21fe861
-
SHA1
7580278b5132bb59159a9fbe5f154092de0f9d0c
-
SHA256
b9153c63ae5911dea43344aa7058e14dd2987652423e3178c5cc1e6cad4fc347
-
SHA512
44946f4f5e30cbe02b2722cd0a63a4dce80841f72a4ba6d897a261658b22027bfe4658968cf1e47ce2bde1a3950c0f30ab823836daefa7b9bf75ec4f9d631827
-
SSDEEP
192:n7KSdtf/wB7vzXDe3mt+D69mdzfYluDDDDDDDDDDDDDDDDDDD+yMsuyK3fBQ2fAi:neUnwB7XV1ddDfBJfA
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableEnhancedNotifications = "1" rundll32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications rundll32.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2340 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2332 2328 WerFault.exe 31 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2340 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2340 powershell.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2896 wrote to memory of 2328 2896 rundll32.exe 31 PID 2896 wrote to memory of 2328 2896 rundll32.exe 31 PID 2896 wrote to memory of 2328 2896 rundll32.exe 31 PID 2896 wrote to memory of 2328 2896 rundll32.exe 31 PID 2896 wrote to memory of 2328 2896 rundll32.exe 31 PID 2896 wrote to memory of 2328 2896 rundll32.exe 31 PID 2896 wrote to memory of 2328 2896 rundll32.exe 31 PID 2328 wrote to memory of 2340 2328 rundll32.exe 32 PID 2328 wrote to memory of 2340 2328 rundll32.exe 32 PID 2328 wrote to memory of 2340 2328 rundll32.exe 32 PID 2328 wrote to memory of 2340 2328 rundll32.exe 32 PID 2328 wrote to memory of 2332 2328 rundll32.exe 34 PID 2328 wrote to memory of 2332 2328 rundll32.exe 34 PID 2328 wrote to memory of 2332 2328 rundll32.exe 34 PID 2328 wrote to memory of 2332 2328 rundll32.exe 34
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b9153c63ae5911dea43344aa7058e14dd2987652423e3178c5cc1e6cad4fc347.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b9153c63ae5911dea43344aa7058e14dd2987652423e3178c5cc1e6cad4fc347.dll,#12⤵
- Modifies Windows Defender notification settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath $ENV:TEMP3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2340
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 2443⤵
- Program crash
PID:2332
-
-