e901fe3c38c4be94bacb5d3b74ac1b6dc8a43b9aff1cb5d219228cce90057f95

General

Target

6bd2b7e11342715405af352c81015220N.dll
Size

233KB
MD5

6bd2b7e11342715405af352c81015220
SHA1

67fbce6ebc381e01ab31d75e4e639ba00bcb1068
SHA256

e901fe3c38c4be94bacb5d3b74ac1b6dc8a43b9aff1cb5d219228cce90057f95
SHA512

23ffd95f7042ede946c49e94014f8600a19445dd2823d55bb98bf79dce64a0c390c88d37f296fe4c937424adadb833eb30faec060102692a6150a99ebff07e91
SSDEEP

3072:3nQfaIFaPkBh1iDDxqBta5aenZ84irt6b6aXC:gff0Dt06ae+4+tPaXC

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2280	rundll32mgr.exe
2120	hrlC542.tmp
2720	kkmiuy.exe

Loads dropped DLL 12 IoCs

pid	Process
2248	rundll32.exe
2248	rundll32.exe
2248	rundll32.exe
2248	rundll32.exe
2496	WerFault.exe
2496	WerFault.exe
2496	WerFault.exe
2496	WerFault.exe
2496	WerFault.exe
2496	WerFault.exe
2496	WerFault.exe
2720	kkmiuy.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\kkmiuy.exe	hrlC542.tmp
File created	C:\Windows\SysWOW64\gei33.dll	kkmiuy.exe
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe
File created	C:\Windows\SysWOW64\kkmiuy.exe	hrlC542.tmp

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2496	2280	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32mgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hrlC542.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kkmiuy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 2248	2272	rundll32.exe	30
PID 2272 wrote to memory of 2248	2272	rundll32.exe	30
PID 2272 wrote to memory of 2248	2272	rundll32.exe	30
PID 2272 wrote to memory of 2248	2272	rundll32.exe	30
PID 2272 wrote to memory of 2248	2272	rundll32.exe	30
PID 2272 wrote to memory of 2248	2272	rundll32.exe	30
PID 2272 wrote to memory of 2248	2272	rundll32.exe	30
PID 2248 wrote to memory of 2280	2248	rundll32.exe	31
PID 2248 wrote to memory of 2280	2248	rundll32.exe	31
PID 2248 wrote to memory of 2280	2248	rundll32.exe	31
PID 2248 wrote to memory of 2280	2248	rundll32.exe	31
PID 2248 wrote to memory of 2120	2248	rundll32.exe	32
PID 2248 wrote to memory of 2120	2248	rundll32.exe	32
PID 2248 wrote to memory of 2120	2248	rundll32.exe	32
PID 2248 wrote to memory of 2120	2248	rundll32.exe	32
PID 2280 wrote to memory of 2496	2280	rundll32mgr.exe	33
PID 2280 wrote to memory of 2496	2280	rundll32mgr.exe	33
PID 2280 wrote to memory of 2496	2280	rundll32mgr.exe	33
PID 2280 wrote to memory of 2496	2280	rundll32mgr.exe	33

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6bd2b7e11342715405af352c81015220N.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\6bd2b7e11342715405af352c81015220N.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2280
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 100
      4⤵
      Loads dropped DLL
      Program crash
      PID:2496
- - C:\Users\Admin\AppData\Local\Temp\hrlC542.tmp
    C:\Users\Admin\AppData\Local\Temp\hrlC542.tmp
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:2120

C:\Windows\SysWOW64\kkmiuy.exe
C:\Windows\SysWOW64\kkmiuy.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hrlC542.tmp

Filesize
18KB

MD5
dfec8754729106e198a4cdfc20289e06

SHA1
a7ee407fdb27f22799fd79e985b0f6eabe0e26b1

SHA256
1e11dbc5df02774f245b5fbec0b0ae7f453defece78456c44197a9f1c2275822

SHA512
7fa06853706d6a660182dd1a31f1ec3b4d5f27b8520c11c1dd5e9331fb5f3821746ec1130cc289f7468a5f09d731d38012d68fb7dead2dc8a5122e5df8302f68

Download Submit
\Windows\SysWOW64\gei33.dll

Filesize
9KB

MD5
1f52809549866ed5302ef4dddf07cfd5

SHA1
471347876109e1d68e9bb1d8f45075ba9f539d60

SHA256
df3e3e7017f363678a7f1ce3f3286f4e816a7e62fea13245d0ca31195b86aac9

SHA512
947411bb6cafb9fdf9af35a6e9753c6751314a1f0547d1b1b86523e7340ff35acece0f47cad9a023fd8e57cd1f4eed36974dd212124c97163598a2fb87733c9b

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
202KB

MD5
fa768e720ef3b60d4b239e280240a15e

SHA1
fe82995aeae95f06a743c6c37b6a7bb2119e72b4

SHA256
ad51b691b4a329b286f4e3387f5f504b43b720d731eedab8742b92f454e401e5

SHA512
1c24b660702d2a3ffabee76df4d3ae518d0d1d159fb45c3be0cc383eb876361377b838b98aa441ae562580190de530e07ff00ad1d82d2aca7ad172f41076fdcd

Download Submit
memory/2120-38-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2120-22-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2120-28-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/2120-25-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2248-17-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2248-18-0x0000000000190000-0x00000000001B9000-memory.dmp

Filesize
164KB

Download
memory/2248-19-0x00000000000C0000-0x00000000000DB000-memory.dmp

Filesize
108KB

Download
memory/2248-10-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2248-8-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2280-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2720-36-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2720-35-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2720-34-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2720-49-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2720-50-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing