Analysis
-
max time kernel
94s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 08:17
Behavioral task
behavioral1
Sample
404a9d184c56e7cb72e8f7f42fd393fe69361b69450e6bae1aa6225889e58a98.dll
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
404a9d184c56e7cb72e8f7f42fd393fe69361b69450e6bae1aa6225889e58a98.dll
Resource
win10v2004-20241007-en
General
-
Target
404a9d184c56e7cb72e8f7f42fd393fe69361b69450e6bae1aa6225889e58a98.dll
-
Size
76KB
-
MD5
75c02330c10d7512d5798b57a689ca7c
-
SHA1
5dd4ea7835fa963556d1648b13376e8c651cc279
-
SHA256
404a9d184c56e7cb72e8f7f42fd393fe69361b69450e6bae1aa6225889e58a98
-
SHA512
7afd7e9b387bb7edcc37cb77f122e3bfa86a1df6ac1ee1f817261761b1cf6de467bae63e2f8f1e432fe1c930318724bc50d05aabb0c563706189c254f5c7256d
-
SSDEEP
1536:YjV8y93KQpFQmPLRk7G50zy/riF12jvRyo0hQk7ZKKvzyKgO7Tp:c8y93KQjy7G55riF1cMo03fDV
Malware Config
Signatures
-
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
resource yara_rule behavioral2/memory/552-0-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/552-1-0x0000000010000000-0x0000000010030000-memory.dmp upx -
Program crash 1 IoCs
pid pid_target Process procid_target 2064 552 WerFault.exe 82 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 552 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2640 wrote to memory of 552 2640 rundll32.exe 82 PID 2640 wrote to memory of 552 2640 rundll32.exe 82 PID 2640 wrote to memory of 552 2640 rundll32.exe 82
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\404a9d184c56e7cb72e8f7f42fd393fe69361b69450e6bae1aa6225889e58a98.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\404a9d184c56e7cb72e8f7f42fd393fe69361b69450e6bae1aa6225889e58a98.dll,#12⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:552 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 552 -s 6923⤵
- Program crash
PID:2064
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 552 -ip 5521⤵PID:3176