Analysis
-
max time kernel
95s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2024, 18:08
Behavioral task
behavioral1
Sample
fa40af857bbf416fb4ace46fd4a082c9021ff1ac7ecbb9c2d13ae4e99191e461N.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
fa40af857bbf416fb4ace46fd4a082c9021ff1ac7ecbb9c2d13ae4e99191e461N.dll
Resource
win10v2004-20241007-en
General
-
Target
fa40af857bbf416fb4ace46fd4a082c9021ff1ac7ecbb9c2d13ae4e99191e461N.dll
-
Size
203KB
-
MD5
8654ff22517faf482bd9a7e3b5610380
-
SHA1
d360a822e9d00e1987e81cde987e34855080bd79
-
SHA256
fa40af857bbf416fb4ace46fd4a082c9021ff1ac7ecbb9c2d13ae4e99191e461
-
SHA512
fbd1a36430530ad553f7a62b9efc7d10140e91e1479685dafde150f25a0164687be095b5d12585c6e485a992f3c25d9b79a56863b21d79436829ebf13dfd28f0
-
SSDEEP
3072:hJ8IMILmCa3yx6oFEdgVXnFYf7C9Ugfxm3Nep9viMLgPI:0kmCaiEoFEd+FYOtxmdeviMLgPI
Malware Config
Signatures
-
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
resource yara_rule behavioral2/memory/3728-0-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral2/memory/3728-1-0x0000000010000000-0x0000000010033000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3728 rundll32.exe 3728 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3728 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4708 wrote to memory of 3728 4708 rundll32.exe 83 PID 4708 wrote to memory of 3728 4708 rundll32.exe 83 PID 4708 wrote to memory of 3728 4708 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fa40af857bbf416fb4ace46fd4a082c9021ff1ac7ecbb9c2d13ae4e99191e461N.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fa40af857bbf416fb4ace46fd4a082c9021ff1ac7ecbb9c2d13ae4e99191e461N.dll,#12⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3728
-