Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/01/2025, 02:36
Behavioral task
behavioral1
Sample
737f86899c079deb7468ae0ca3f479a492f6b9cd472c1174015a3a43571daa09.dll
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
737f86899c079deb7468ae0ca3f479a492f6b9cd472c1174015a3a43571daa09.dll
Resource
win10v2004-20241007-en
General
-
Target
737f86899c079deb7468ae0ca3f479a492f6b9cd472c1174015a3a43571daa09.dll
-
Size
76KB
-
MD5
cee6cff751c38975399039e234ccde6c
-
SHA1
6e37eb22abafca449054898ea8f0fd60f13512f4
-
SHA256
737f86899c079deb7468ae0ca3f479a492f6b9cd472c1174015a3a43571daa09
-
SHA512
ccaeb8d5b69a747c952f3f9ba30200e2da212fe1ceaf04324d99f7b87e225f3c77570486d800a0ca05f57e0a07d0f676c268aaa77cd0580f5957d3af088829aa
-
SSDEEP
1536:YjV8y93KQpFQmPLRk7G50zy/riF12jvRyo0hQk7ZBTG7p:c8y93KQjy7G55riF1cMo03bTE
Malware Config
Signatures
-
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
resource yara_rule behavioral2/memory/2892-0-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/2892-1-0x0000000010000000-0x0000000010030000-memory.dmp upx -
Program crash 1 IoCs
pid pid_target Process procid_target 1632 2892 WerFault.exe 83 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2892 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3396 wrote to memory of 2892 3396 rundll32.exe 83 PID 3396 wrote to memory of 2892 3396 rundll32.exe 83 PID 3396 wrote to memory of 2892 3396 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\737f86899c079deb7468ae0ca3f479a492f6b9cd472c1174015a3a43571daa09.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\737f86899c079deb7468ae0ca3f479a492f6b9cd472c1174015a3a43571daa09.dll,#12⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2892 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 7083⤵
- Program crash
PID:1632
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2892 -ip 28921⤵PID:3368