Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
27-12-2024 23:53
Behavioral task
behavioral1
Sample
888a6f5f38ab1003c1b3b477a5eb080a1699477fcd96b6eae89d1aafbcf6ca79.dll
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
888a6f5f38ab1003c1b3b477a5eb080a1699477fcd96b6eae89d1aafbcf6ca79.dll
Resource
win10v2004-20241007-en
General
-
Target
888a6f5f38ab1003c1b3b477a5eb080a1699477fcd96b6eae89d1aafbcf6ca79.dll
-
Size
76KB
-
MD5
e53bdd8984dcf3027b1d2012629747c0
-
SHA1
bd0da8288fab700350e35a309086c179d11dd853
-
SHA256
888a6f5f38ab1003c1b3b477a5eb080a1699477fcd96b6eae89d1aafbcf6ca79
-
SHA512
12da69b605ec519c0b3a77042b2835ffa211002264d023a82f5f1773148ce6f60bbbbaf48f490463a943d20f434025664ff5fc1fab7907dbef6958a3f44aa34a
-
SSDEEP
1536:YjV8y93KQpFQmPLRk7G50zy/riF12jvRyo0hQk7ZKUDkNx3yy:c8y93KQjy7G55riF1cMo03Ry
Malware Config
Signatures
-
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
resource yara_rule behavioral1/memory/2500-0-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2500-1-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2500-3-0x0000000010000000-0x0000000010030000-memory.dmp upx -
Program crash 1 IoCs
pid pid_target Process procid_target 2304 2500 WerFault.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2500 rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1680 wrote to memory of 2500 1680 rundll32.exe 30 PID 1680 wrote to memory of 2500 1680 rundll32.exe 30 PID 1680 wrote to memory of 2500 1680 rundll32.exe 30 PID 1680 wrote to memory of 2500 1680 rundll32.exe 30 PID 1680 wrote to memory of 2500 1680 rundll32.exe 30 PID 1680 wrote to memory of 2500 1680 rundll32.exe 30 PID 1680 wrote to memory of 2500 1680 rundll32.exe 30 PID 2500 wrote to memory of 2304 2500 rundll32.exe 31 PID 2500 wrote to memory of 2304 2500 rundll32.exe 31 PID 2500 wrote to memory of 2304 2500 rundll32.exe 31 PID 2500 wrote to memory of 2304 2500 rundll32.exe 31
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\888a6f5f38ab1003c1b3b477a5eb080a1699477fcd96b6eae89d1aafbcf6ca79.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\888a6f5f38ab1003c1b3b477a5eb080a1699477fcd96b6eae89d1aafbcf6ca79.dll,#12⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2500 -s 3083⤵
- Program crash
PID:2304
-
-