6278156553ce26bbc3823de753ee82594701be867ede9b97d852adef98652b46

Analysis

max time kernel
16s
max time network
20s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
05-10-2024 05:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$PLUGINSDIR/nsExec.dll
Size

6KB
MD5

cdff6b8f9523b6ef9f20fb5f9e90f1a5
SHA1

b25f6e0a19b41ff0a12de8e98e3005bc119d34fa
SHA256

80b2740fb3a21ffab022a96ce6b420019072f8ef3a048fd9dea4a5b64498c0c8
SHA512

62585c6a6103aed10f9a79c016df8cb630c3e37715542b5f26aa1a910771540c9b323ddbba3329db0ecf524143f7a27b782e198ce944317f764be6b9d04b792e
SSDEEP

96:W7GUb+YNfwgcr8zyKwZ5S4JxN8BS0ef9/3trCUTMxVXw32E:IKgfwgcr8zylsB49lrCUTMxVX7

Score

3^/10

discovery

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2316	1712	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 1712	2908	rundll32.exe	30
PID 2908 wrote to memory of 1712	2908	rundll32.exe	30
PID 2908 wrote to memory of 1712	2908	rundll32.exe	30
PID 2908 wrote to memory of 1712	2908	rundll32.exe	30
PID 2908 wrote to memory of 1712	2908	rundll32.exe	30
PID 2908 wrote to memory of 1712	2908	rundll32.exe	30
PID 2908 wrote to memory of 1712	2908	rundll32.exe	30
PID 1712 wrote to memory of 2316	1712	rundll32.exe	31
PID 1712 wrote to memory of 2316	1712	rundll32.exe	31
PID 1712 wrote to memory of 2316	1712	rundll32.exe	31
PID 1712 wrote to memory of 2316	1712	rundll32.exe	31

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 224
    3⤵
    - Program crash
    PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads