463408ee65d826d76aedbb40faf5b457e005cef80be0bed20ae6b1c4a9bc5941

Resubmissions

06/10/2024, 07:38

241006-jglrbsvhlj 7

06/10/2024, 07:33

241006-jdqacazbqb 7

Analysis

max time kernel
101s
max time network
111s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/10/2024, 07:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

AGERC.dll
Size

391KB
MD5

541b7fa15e4ebeed2cafe981bf728c88
SHA1

99d477f314d61f1d5f8080361baa663cecf7a783
SHA256

13fd92ca96056f36a68aa4386cfb339511c02dc5bd8d5d4303fb7a95d6a9cb61
SHA512

b16ea1e72032ef353ee86158e990441851b49622470c01b53091846bd105ee4dd5eb416082265b3b5bdae07a62ef2d2ee249586ca636d1a3e49f06afd957f929
SSDEEP

6144:rsiHkOUki/YbBpFwCOhdwBC7Qok8SQF/AjoL6pmn+aC1meyUGimMiG/v/nmQav:gaX1iVh0C7QozlA660W1meyUGpQGQu

Score

3^/10

discovery

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1928	2260	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3428 wrote to memory of 2260	3428	rundll32.exe	82
PID 3428 wrote to memory of 2260	3428	rundll32.exe	82
PID 3428 wrote to memory of 2260	3428	rundll32.exe	82

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\AGERC.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3428
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\AGERC.dll,#1
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2260
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 688
    3⤵
    - Program crash
    PID:1928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2260 -ip 2260
1⤵
PID:3220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2260-2-0x0000000002C30000-0x0000000002C31000-memory.dmp

Filesize
4KB

Download
memory/2260-1-0x0000000002C20000-0x0000000002C21000-memory.dmp

Filesize
4KB

Download
memory/2260-4-0x0000000002C20000-0x0000000002C23000-memory.dmp

Filesize
12KB

Download
memory/2260-3-0x0000000002C30000-0x0000000002C31000-memory.dmp

Filesize
4KB

Download
memory/2260-0-0x00000000754C0000-0x000000007587E000-memory.dmp

Filesize
3.7MB

Download
memory/2260-7-0x0000000002B40000-0x0000000002B41000-memory.dmp

Filesize
4KB

Download
memory/2260-6-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/2260-5-0x0000000002C10000-0x0000000002C11000-memory.dmp

Filesize
4KB

Download
memory/2260-8-0x00000000754C0000-0x000000007587E000-memory.dmp

Filesize
3.7MB

Download