Analysis
-
max time kernel
93s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:58
Behavioral task
behavioral1
Sample
b588a66262507b07818144d7a0e34757529b9bd76d534af8c24ac0ea7ce8ae9e.dll
Resource
win7-20241023-en
General
-
Target
b588a66262507b07818144d7a0e34757529b9bd76d534af8c24ac0ea7ce8ae9e.dll
-
Size
76KB
-
MD5
762b5d2face53f7a838f788762ba7a90
-
SHA1
6e093e900429e79d00f86be07e881a4590563515
-
SHA256
b588a66262507b07818144d7a0e34757529b9bd76d534af8c24ac0ea7ce8ae9e
-
SHA512
8638c0f78fb5b5904d321357ad8f6637df93e499eb776c86cad06c03feac47a628adffb5d3609bddf5574404f2edede904274579b4ee8768c2bd3297eb71d276
-
SSDEEP
1536:YjV8y93KQpFQmPLRk7G50zy/riF12jvRyo0hQk7ZmvjKeytoB5kdnQE7:c8y93KQjy7G55riF1cMo030vL5kdnQS
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/4852-0-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/4852-1-0x0000000010000000-0x0000000010030000-memory.dmp upx -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1084 4852 WerFault.exe rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 4852 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3492 wrote to memory of 4852 3492 rundll32.exe rundll32.exe PID 3492 wrote to memory of 4852 3492 rundll32.exe rundll32.exe PID 3492 wrote to memory of 4852 3492 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b588a66262507b07818144d7a0e34757529b9bd76d534af8c24ac0ea7ce8ae9e.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b588a66262507b07818144d7a0e34757529b9bd76d534af8c24ac0ea7ce8ae9e.dll,#12⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4852 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 7123⤵
- Program crash
PID:1084
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4852 -ip 48521⤵PID:3956