4b612d715f140a15e128c5d7386040457a33ce8b17a7e82dda063883b1d980ab

Analysis

max time kernel
119s
max time network
125s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
14/08/2024, 07:52

Target

4b612d715f140a15e128c5d7386040457a33ce8b17a7e82dda063883b1d980ab.dll
Size

4.7MB
MD5

5cf7e02da5e3670c27f652a77e77219c
SHA1

56b0bcc642e9e4e2d51d49715159e32600bab5e5
SHA256

4b612d715f140a15e128c5d7386040457a33ce8b17a7e82dda063883b1d980ab
SHA512

0d181b9e1120135c7fe6382e7b6fe8ca2d5969172d57d4bb3e4ff403c05da4eed7aac7fff3c4865082bfe48d67ddbc88b7270a1dd3bcba5106dc147b0b7078dc
SSDEEP

98304:XfKvdjBBRLhaAfvgQHWyQLAFdH8zsgI9ElpG6XVLM/22wBGp68NjriBL3Ij:vKvdjdL1vxWyQLmdcIzmlpGYoyopRKLq

Score

3^/10

discovery

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

System Language Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1408	rundll32.exe
1408	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 280 wrote to memory of 1408	280	rundll32.exe	30
PID 280 wrote to memory of 1408	280	rundll32.exe	30
PID 280 wrote to memory of 1408	280	rundll32.exe	30
PID 280 wrote to memory of 1408	280	rundll32.exe	30
PID 280 wrote to memory of 1408	280	rundll32.exe	30
PID 280 wrote to memory of 1408	280	rundll32.exe	30
PID 280 wrote to memory of 1408	280	rundll32.exe	30

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4b612d715f140a15e128c5d7386040457a33ce8b17a7e82dda063883b1d980ab.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:280
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\4b612d715f140a15e128c5d7386040457a33ce8b17a7e82dda063883b1d980ab.dll,#1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1408

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1408-0-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1408-5-0x00000000736A0000-0x0000000073DE8000-memory.dmp

Filesize
7.3MB

Download
memory/1408-4-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1408-2-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1408-7-0x00000000736BD000-0x000000007393F000-memory.dmp

Filesize
2.5MB

Download
memory/1408-9-0x00000000736A0000-0x0000000073DE8000-memory.dmp

Filesize
7.3MB

Download
memory/1408-10-0x00000000736A0000-0x0000000073DE8000-memory.dmp

Filesize
7.3MB

Download
memory/1408-11-0x00000000736BD000-0x000000007393F000-memory.dmp

Filesize
2.5MB

Download