Analysis
-
max time kernel
95s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/12/2024, 19:27 UTC
Behavioral task
behavioral1
Sample
0aaecc9eebe1e2e34e7c0a75fa4f9ce4f4a42164acec1ef4cf8100020dc0724a.dll
Resource
win7-20240903-en
5 signatures
150 seconds
General
-
Target
0aaecc9eebe1e2e34e7c0a75fa4f9ce4f4a42164acec1ef4cf8100020dc0724a.dll
-
Size
76KB
-
MD5
96f739ca09f875dcaac5a87a7846be8e
-
SHA1
0ecd7e2143249bb0303429343e82e682d0f5bc36
-
SHA256
0aaecc9eebe1e2e34e7c0a75fa4f9ce4f4a42164acec1ef4cf8100020dc0724a
-
SHA512
f3e85d6b6dd0e67d4fda7bd3e3478844b5bfcafa3b17f9b256e90bd413fae5f1863bdc181a782d9c9555d574cd385a162f347292dc92589450c0ca68d0d1f37a
-
SSDEEP
1536:YjV8y93KQpFQmPLRk7G50zy/riF12jvRyo0hQk7ZmB5kdnQEApWrP:c8y93KQjy7G55riF1cMo03A5kdnQrWj
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/3096-0-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/3096-1-0x0000000010000000-0x0000000010030000-memory.dmp upx -
Program crash 1 IoCs
pid pid_target Process procid_target 2436 3096 WerFault.exe 83 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3096 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4600 wrote to memory of 3096 4600 rundll32.exe 83 PID 4600 wrote to memory of 3096 4600 rundll32.exe 83 PID 4600 wrote to memory of 3096 4600 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0aaecc9eebe1e2e34e7c0a75fa4f9ce4f4a42164acec1ef4cf8100020dc0724a.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0aaecc9eebe1e2e34e7c0a75fa4f9ce4f4a42164acec1ef4cf8100020dc0724a.dll,#12⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3096 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 7163⤵
- Program crash
PID:2436
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 3096 -ip 30961⤵PID:3160
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request58.55.71.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request23.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request28.118.140.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request97.17.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request171.39.242.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request50.23.12.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request23.236.111.52.in-addr.arpaIN PTRResponse
No results found
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
58.55.71.13.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
23.159.190.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
28.118.140.52.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
97.17.167.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
171.39.242.20.in-addr.arpa
-
70 B 156 B 1 1
DNS Request
50.23.12.20.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
23.236.111.52.in-addr.arpa