Analysis
-
max time kernel
91s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 09:07
Static task
static1
Behavioral task
behavioral1
Sample
091c80ee443773dc30e935fbc7e09582864cf8135d275507ee5152b426439b34N.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
091c80ee443773dc30e935fbc7e09582864cf8135d275507ee5152b426439b34N.dll
Resource
win10v2004-20241007-en
General
-
Target
091c80ee443773dc30e935fbc7e09582864cf8135d275507ee5152b426439b34N.dll
-
Size
150KB
-
MD5
49796864dfb7dc29049c7c4d24b42830
-
SHA1
1470e372e454454414b95d87b1458fd18d65bd14
-
SHA256
091c80ee443773dc30e935fbc7e09582864cf8135d275507ee5152b426439b34
-
SHA512
fbb647b8458c517d69c6fa18db4fc15b71c80436a88ac56ed5d70ff1d1596c53b51576adcb724035c077c78f2d996e24579db93b8b88c0b6017fb1f70b00b2e7
-
SSDEEP
3072:KHHZMRTuLcOi65ecbCKnN22lQBV+UdE+rECWp7hK5H:t2jzecbC7BV+UdvrEFp7hKV
Malware Config
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 2624 3612 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3832 wrote to memory of 3612 3832 rundll32.exe 85 PID 3832 wrote to memory of 3612 3832 rundll32.exe 85 PID 3832 wrote to memory of 3612 3832 rundll32.exe 85
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\091c80ee443773dc30e935fbc7e09582864cf8135d275507ee5152b426439b34N.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3832 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\091c80ee443773dc30e935fbc7e09582864cf8135d275507ee5152b426439b34N.dll,#12⤵
- System Location Discovery: System Language Discovery
PID:3612 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 5603⤵
- Program crash
PID:2624
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3612 -ip 36121⤵PID:3792
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request13.86.106.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request134.130.81.91.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request136.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request209.205.72.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request104.219.191.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request200.163.202.172.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request15.164.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request30.243.111.52.in-addr.arpaIN PTRResponse
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
13.86.106.20.in-addr.arpa
-
72 B 147 B 1 1
DNS Request
134.130.81.91.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
136.32.126.40.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
209.205.72.20.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
104.219.191.52.in-addr.arpa
-
74 B 160 B 1 1
DNS Request
200.163.202.172.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
15.164.165.52.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
30.243.111.52.in-addr.arpa