0bdc6c9bea314206994a9352f61895004ed414bcb767de035d9f9c5142916a11

Analysis

max time kernel
433s
max time network
443s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12-08-2024 13:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

msimg32.dll
Size

30.0MB
MD5

a154217644d7083db5c2bca05fd663b0
SHA1

cc3d43e548f2aca58240eff9485298857f891f33
SHA256

a6e810e74c7e60ec30caa633ffe4c05d6f17aa3441883ce6b66ae5bb83a01c02
SHA512

ce5c3a6e9fcbea041b8ce2966a02ae2de3b07dc4f8eef8cb96a4408ee2fe39b2a02b4bd0f99f3ad04a279a839c374f649b7666209629ed86c07362e4c1302a0b
SSDEEP

49152:Tmp1wTHyQhBCMsvEqDZLOkALP7fivHBbsF:T21wTHF5svPDkkk2H

Score

3^/10

discovery

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
2408	4300	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

rundll32.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	Process	procid_target
PID 5116 wrote to memory of 4300	5116	rundll32.exe	85
PID 5116 wrote to memory of 4300	5116	rundll32.exe	85
PID 5116 wrote to memory of 4300	5116	rundll32.exe	85

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\msimg32.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:5116
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\msimg32.dll,#1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4300
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 560
    3⤵
    - Program crash
    PID:2408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4300 -ip 4300
1⤵
PID:1992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4300-0-0x0000000010000000-0x00000000101F7000-memory.dmp

Filesize
2.0MB

Download
memory/4300-1-0x0000000010026000-0x0000000010040000-memory.dmp

Filesize
104KB

Download