Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02-01-2025 03:51
Behavioral task
behavioral1
Sample
bb25de47e8dae5c2128ba3c6bf72617a043e7cc2f138bab040da36dd41fcb8ef.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
bb25de47e8dae5c2128ba3c6bf72617a043e7cc2f138bab040da36dd41fcb8ef.dll
Resource
win10v2004-20241007-en
General
-
Target
bb25de47e8dae5c2128ba3c6bf72617a043e7cc2f138bab040da36dd41fcb8ef.dll
-
Size
76KB
-
MD5
3048550f118643b25c0cc4916e230a6c
-
SHA1
e045f56699cf6d56972d584ba4eff2847e1d98fd
-
SHA256
bb25de47e8dae5c2128ba3c6bf72617a043e7cc2f138bab040da36dd41fcb8ef
-
SHA512
6f6b5122112cbea379975cb4f65a82d5d3cfcc2d11cd81dc91c3fd22c50a1d30184e7a644f951774d31994777b13e3f9209130a92148ae7580f57df0cf7d18a6
-
SSDEEP
1536:YjV8y93KQpFQmPLRk7G50zy/riF12jvRyo0hQk7ZfaJfgORzRanOM03qmD:c8y93KQjy7G55riF1cMo03FaJIORzRdp
Malware Config
Signatures
-
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
resource yara_rule behavioral1/memory/2472-1-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2472-2-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2472-4-0x0000000010000000-0x0000000010030000-memory.dmp upx -
Program crash 1 IoCs
pid pid_target Process procid_target 2516 2472 WerFault.exe 31 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2472 rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2276 wrote to memory of 2472 2276 rundll32.exe 31 PID 2276 wrote to memory of 2472 2276 rundll32.exe 31 PID 2276 wrote to memory of 2472 2276 rundll32.exe 31 PID 2276 wrote to memory of 2472 2276 rundll32.exe 31 PID 2276 wrote to memory of 2472 2276 rundll32.exe 31 PID 2276 wrote to memory of 2472 2276 rundll32.exe 31 PID 2276 wrote to memory of 2472 2276 rundll32.exe 31 PID 2472 wrote to memory of 2516 2472 rundll32.exe 32 PID 2472 wrote to memory of 2516 2472 rundll32.exe 32 PID 2472 wrote to memory of 2516 2472 rundll32.exe 32 PID 2472 wrote to memory of 2516 2472 rundll32.exe 32
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bb25de47e8dae5c2128ba3c6bf72617a043e7cc2f138bab040da36dd41fcb8ef.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bb25de47e8dae5c2128ba3c6bf72617a043e7cc2f138bab040da36dd41fcb8ef.dll,#12⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 3323⤵
- Program crash
PID:2516
-
-