1e52e16cc52574c6b43b2c514905941ace2b90e06ea3ab7e653b9db57e51d2e1

General

Target

$APPDATA/pubgfx32cfg/pubgfx32cfg.exe
Size

257KB
MD5

058b152a63d1c2ba7987e7d03c7b5fcd
SHA1

3018ea4587064c68c2cfae997f9284f2bab53bba
SHA256

d679a848c521cb382d493f4df7621b2b41e4ab00f19eae205a05b45a762f8213
SHA512

3989320ff7a8a7abb1211fd5506e5fad1349aee3099381b4ce2c95e3aedede17802aafb039352cda51edf96335273795b111a160a6448ea474ab7df5406f24c2
SSDEEP

6144:HSQgmiNBOta44168rfP3oC4H0rjMw7QtaQrf/mrfhJJIw:HSQg/B4a4E7jSijMw7Q3rmrZJF

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4852	pubgfx32cfg.exe

Loads dropped DLL 3 IoCs

pid	Process
1968	rundll32.exe
1968	rundll32.exe
1968	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2288	1968	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pubgfx32cfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pubgfx32cfg.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 4852	2740	pubgfx32cfg.exe	84
PID 2740 wrote to memory of 4852	2740	pubgfx32cfg.exe	84
PID 2740 wrote to memory of 4852	2740	pubgfx32cfg.exe	84
PID 4852 wrote to memory of 1968	4852	pubgfx32cfg.exe	85
PID 4852 wrote to memory of 1968	4852	pubgfx32cfg.exe	85
PID 4852 wrote to memory of 1968	4852	pubgfx32cfg.exe	85

C:\Users\Admin\AppData\Local\Temp\$APPDATA\pubgfx32cfg\pubgfx32cfg.exe
"C:\Users\Admin\AppData\Local\Temp\$APPDATA\pubgfx32cfg\pubgfx32cfg.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Users\Admin\AppData\Roaming\pubgfx32cfg\pubgfx32cfg.exe
  C:\Users\Admin\AppData\Roaming\pubgfx32cfg\pubgfx32cfg.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4852
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Roaming\PUBGFX~1\PUBGFX~1.DLL 000
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1968
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 744
      4⤵
      Program crash
      PID:2288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1968 -ip 1968
1⤵
PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\PUBGFX~1\PUBGFX~1.DLL

Filesize
234KB

MD5
aa78ed264fbf2b71593bd97dc7758922

SHA1
806d66feca44f1a819bb29a6df44837700cc86f2

SHA256
ba248b004816e0a8de533fe5e760849e71da7326503d7c9bf3aa2538afb18c1e

SHA512
b670f758eddf490a8bab8ada82b7e7763227d71b6f9293ba61388917c94ec4922cadb0f283f2e9d97d6390a3a2eee180951479987dc103f807634c3ec631d3ec

Download Submit
C:\Users\Admin\AppData\Roaming\pubgfx32cfg\otndqjcah.dll

Filesize
160KB

MD5
c2ee8ad0f858a05577ca88db711a8d5d

SHA1
b02c6dabab9ed67178bc6686d7cdbc7c2c51d195

SHA256
36ea9f03bb8f201f9b53503473c2b95ecc23c71944993f165963a9922d1d64a2

SHA512
2a5da162b9271fdd75fd6cda24f349a1517ae4e40377438a312f2c100ad3d9016ecedb0e25a3978df950a124611fad5cd71f6f037b7c7857d091607d0a93358a

Download Submit
C:\Users\Admin\AppData\Roaming\pubgfx32cfg\pubgfx32cfg.exe

Filesize
257KB

MD5
058b152a63d1c2ba7987e7d03c7b5fcd

SHA1
3018ea4587064c68c2cfae997f9284f2bab53bba

SHA256
d679a848c521cb382d493f4df7621b2b41e4ab00f19eae205a05b45a762f8213

SHA512
3989320ff7a8a7abb1211fd5506e5fad1349aee3099381b4ce2c95e3aedede17802aafb039352cda51edf96335273795b111a160a6448ea474ab7df5406f24c2

Download Submit
memory/1968-31-0x0000000000F10000-0x0000000000F3A000-memory.dmp

Filesize
168KB

Download
memory/1968-27-0x0000000000F10000-0x0000000000F3A000-memory.dmp

Filesize
168KB

Download
memory/1968-32-0x0000000010000000-0x0000000010044000-memory.dmp

Filesize
272KB

Download
memory/1968-18-0x0000000010001000-0x0000000010006000-memory.dmp

Filesize
20KB

Download
memory/1968-26-0x0000000000F10000-0x0000000000F3A000-memory.dmp

Filesize
168KB

Download
memory/1968-16-0x0000000010000000-0x0000000010044000-memory.dmp

Filesize
272KB

Download
memory/1968-17-0x0000000010000000-0x0000000010044000-memory.dmp

Filesize
272KB

Download
memory/1968-15-0x0000000010000000-0x0000000010044000-memory.dmp

Filesize
272KB

Download
memory/1968-28-0x0000000000F10000-0x0000000000F3A000-memory.dmp

Filesize
168KB

Download
memory/1968-29-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

Filesize
4KB

Download
memory/1968-30-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

Filesize
4KB

Download
memory/2740-9-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2740-1-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2740-0-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2740-2-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/4852-11-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4852-12-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download

Analysis

Sharing