Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28/10/2024, 17:51
Static task
static1
Behavioral task
behavioral1
Sample
893913ff4387fefdd328d30c720c9b30ea7b34fb3c3d481cfba2791f2ade6a38N.dll
Resource
win7-20240903-en
General
-
Target
893913ff4387fefdd328d30c720c9b30ea7b34fb3c3d481cfba2791f2ade6a38N.dll
-
Size
240KB
-
MD5
b78dcb131cb6e40c10a1bc4d43e9b8f0
-
SHA1
3c5935fcde6ef32e939243482601b53e8994391e
-
SHA256
893913ff4387fefdd328d30c720c9b30ea7b34fb3c3d481cfba2791f2ade6a38
-
SHA512
79373831f69ea93aa755be4ecece1d77d4d9606cc54f489c8ea9141057f4ef52fdf9531668196e73d15f96ab3f6aee64804d8f0e0d66f06158b80c515a633304
-
SSDEEP
6144:xKZp3KNjVGvYMPXyX7MGoFlNWeqm7GGJWnA:xCxKNjcHPyYD/We28qA
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2156 rundll32mgr.exe -
Loads dropped DLL 9 IoCs
pid Process 1800 rundll32.exe 1800 rundll32.exe 2548 WerFault.exe 2548 WerFault.exe 2548 WerFault.exe 2548 WerFault.exe 2548 WerFault.exe 2548 WerFault.exe 2548 WerFault.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe -
Program crash 1 IoCs
pid pid_target Process 2548 2156 WerFault.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32mgr.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1192 wrote to memory of 1800 1192 rundll32.exe 30 PID 1192 wrote to memory of 1800 1192 rundll32.exe 30 PID 1192 wrote to memory of 1800 1192 rundll32.exe 30 PID 1192 wrote to memory of 1800 1192 rundll32.exe 30 PID 1192 wrote to memory of 1800 1192 rundll32.exe 30 PID 1192 wrote to memory of 1800 1192 rundll32.exe 30 PID 1192 wrote to memory of 1800 1192 rundll32.exe 30 PID 1800 wrote to memory of 2156 1800 rundll32.exe 31 PID 1800 wrote to memory of 2156 1800 rundll32.exe 31 PID 1800 wrote to memory of 2156 1800 rundll32.exe 31 PID 1800 wrote to memory of 2156 1800 rundll32.exe 31 PID 2156 wrote to memory of 2548 2156 rundll32mgr.exe 32 PID 2156 wrote to memory of 2548 2156 rundll32mgr.exe 32 PID 2156 wrote to memory of 2548 2156 rundll32mgr.exe 32 PID 2156 wrote to memory of 2548 2156 rundll32mgr.exe 32
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\893913ff4387fefdd328d30c720c9b30ea7b34fb3c3d481cfba2791f2ade6a38N.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\893913ff4387fefdd328d30c720c9b30ea7b34fb3c3d481cfba2791f2ade6a38N.dll,#12⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 924⤵
- Loads dropped DLL
- Program crash
PID:2548
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
121KB
MD5a93af43a801ff05f44ff97cb95cd886c
SHA17b19ee2905cc330bda0dfa0fb089085ebaacf5e3
SHA25650063bef074ba3c8708974907de35e78f60471f167f0934fa579a03d7ddef779
SHA5125620ee938a3a60bd63eb6df36f74e0e67d9fb881ab787d917db0a84e0e3741627105da957a4e45ab3056620717315566dd3a5641118be4ca6f6a6a6a9f1dbc8d