Analysis
-
max time kernel
95s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2024 02:05
Static task
static1
Behavioral task
behavioral1
Sample
24ded3efefa92fa8688bd29a894401110acf86bb610df5adbd4a5b5a14f65ecf.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
24ded3efefa92fa8688bd29a894401110acf86bb610df5adbd4a5b5a14f65ecf.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/chbtjlxnc.dll
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/chbtjlxnc.dll
Resource
win10v2004-20241007-en
General
-
Target
$PLUGINSDIR/chbtjlxnc.dll
-
Size
32KB
-
MD5
04e7cb86dc41703a5cf85fc5876ca52c
-
SHA1
c1b4b144bcfbb9cb60f0feb98c74aeb1ca83abea
-
SHA256
f151cb8d01bd600340425aed959eff4e663db50941ccba81bee3d94f5ae4e486
-
SHA512
7c38ab8869747baa87473804cca219969534b71cfdd91b01e2a63b84fc7964fbdbbff7f56f336c2d5bac4031e8ede1e39e1d723854f3f7713b9d1ec37f7d3646
-
SSDEEP
768:jm79oRz5DjnPKkSnu9OfiIkuy8nEVFCvLSVrSIaonoIxGRBUxNku6:SPqFZdaontxGUxNZ6
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2332 wrote to memory of 4764 2332 rundll32.exe 82 PID 2332 wrote to memory of 4764 2332 rundll32.exe 82 PID 2332 wrote to memory of 4764 2332 rundll32.exe 82 PID 4764 wrote to memory of 1752 4764 rundll32.exe 83 PID 4764 wrote to memory of 1752 4764 rundll32.exe 83 PID 4764 wrote to memory of 1752 4764 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chbtjlxnc.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chbtjlxnc.dll,#12⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chbtjlxnc.dll,#13⤵PID:1752
-
-