Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-12-2024 05:15
Behavioral task
behavioral1
Sample
e6fd42c99be1741324693bec71e23dc7d7053af8e5c9e0541e6547a4f75cb42aN.dll
Resource
win7-20240903-en
windows7-x64
5 signatures
120 seconds
General
-
Target
e6fd42c99be1741324693bec71e23dc7d7053af8e5c9e0541e6547a4f75cb42aN.dll
-
Size
76KB
-
MD5
6a4f0210361ef9a364ddd5db6679f330
-
SHA1
c6f670dc63960bb2ed321ecd6d9a4e02cfe8bae5
-
SHA256
e6fd42c99be1741324693bec71e23dc7d7053af8e5c9e0541e6547a4f75cb42a
-
SHA512
0c915e6b789a80082fdb57251b7274f3f064d5f85565e15fda406c3c20f1153658e202bc50cca678fa58725f194a7b1ae691215fbab33ef21fcd6f78dfc3b475
-
SSDEEP
1536:YjV8y93KQpFQmPLRk7G50zy/riF12jvRyo0hQk7ZzyrXa33E8ym:c8y93KQjy7G55riF1cMo0333gm
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/340-1-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/340-0-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/340-2-0x0000000010000000-0x0000000010030000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 340 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 340 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1960 wrote to memory of 340 1960 rundll32.exe 30 PID 1960 wrote to memory of 340 1960 rundll32.exe 30 PID 1960 wrote to memory of 340 1960 rundll32.exe 30 PID 1960 wrote to memory of 340 1960 rundll32.exe 30 PID 1960 wrote to memory of 340 1960 rundll32.exe 30 PID 1960 wrote to memory of 340 1960 rundll32.exe 30 PID 1960 wrote to memory of 340 1960 rundll32.exe 30
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e6fd42c99be1741324693bec71e23dc7d7053af8e5c9e0541e6547a4f75cb42aN.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e6fd42c99be1741324693bec71e23dc7d7053af8e5c9e0541e6547a4f75cb42aN.dll,#12⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:340
-