Analysis
-
max time kernel
94s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 15:17
Behavioral task
behavioral1
Sample
228245e19991432f83a537f389d9ceee65aaf9b242a4818d089126233928a2caN.dll
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
228245e19991432f83a537f389d9ceee65aaf9b242a4818d089126233928a2caN.dll
Resource
win10v2004-20241007-en
General
-
Target
228245e19991432f83a537f389d9ceee65aaf9b242a4818d089126233928a2caN.dll
-
Size
76KB
-
MD5
fd9606ccdc54bbeb52caed901e32d5e0
-
SHA1
1a8c1dab4ba45f54c6aec6d99d3f76a48afdcc40
-
SHA256
228245e19991432f83a537f389d9ceee65aaf9b242a4818d089126233928a2ca
-
SHA512
c1e6aaa86ac0393b4d2fe30ce4a6a43570bc8dfea00d7afa5b14c019b39b1ce83a56fb59b37f17f39913c89cd710dac7dd089467cd1c9716166f0d23cc9ab721
-
SSDEEP
1536:YjV8y93KQpFQmPLRk7G50zy/riF12jvRyo0hQk7Z6fHMi:c8y93KQjy7G55riF1cMo03IPj
Malware Config
Signatures
-
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
resource yara_rule behavioral2/memory/2652-0-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/2652-2-0x0000000010000000-0x0000000010030000-memory.dmp upx -
Program crash 1 IoCs
pid pid_target Process procid_target 2648 2652 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2652 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2664 wrote to memory of 2652 2664 rundll32.exe 85 PID 2664 wrote to memory of 2652 2664 rundll32.exe 85 PID 2664 wrote to memory of 2652 2664 rundll32.exe 85
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\228245e19991432f83a537f389d9ceee65aaf9b242a4818d089126233928a2caN.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\228245e19991432f83a537f389d9ceee65aaf9b242a4818d089126233928a2caN.dll,#12⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2652 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2652 -s 6683⤵
- Program crash
PID:2648
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2652 -ip 26521⤵PID:4152