7e8eb69adadb7337fa6a7b18c08b7d3f1ccef733157db636f23e5ec3603a2550

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-10-2024 18:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$PLUGINSDIR/nsisdl.dll
Size

12KB
MD5

e4145a76f37b199c3cb9ab8d23c3c1d6
SHA1

b6beecaaf0f29d02f293e07954ebd7f7df25160b
SHA256

ab657405df2b4d86793a4959a7c8c86ffbcc732733bc884f001fcb1219e68a9d
SHA512

9fe0796a76998b80c2d34825ba0256147cb8104bf2b39fa3d8642ab8a7ef99cf2fd9715bb73661b4e42c47125a22d96e1e85abb88018bfc97548823f7a254b06
SSDEEP

192:LijhVfwS3xhHWFOmsyhi2atzNl7MXRdoamvBWAA0LemnmrR21SA:LinwChHWdxi2atzNlE5BALe+E8b

Score

3^/10

discovery

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3152	1076	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 1076	1856	rundll32.exe	85
PID 1856 wrote to memory of 1076	1856	rundll32.exe	85
PID 1856 wrote to memory of 1076	1856	rundll32.exe	85

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisdl.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisdl.dll,#1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1076
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1076 -s 628
    3⤵
    - Program crash
    PID:3152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1076 -ip 1076
1⤵
PID:4552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads