Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    28/10/2024, 17:51

General

  • Target

    893913ff4387fefdd328d30c720c9b30ea7b34fb3c3d481cfba2791f2ade6a38N.dll

  • Size

    240KB

  • MD5

    b78dcb131cb6e40c10a1bc4d43e9b8f0

  • SHA1

    3c5935fcde6ef32e939243482601b53e8994391e

  • SHA256

    893913ff4387fefdd328d30c720c9b30ea7b34fb3c3d481cfba2791f2ade6a38

  • SHA512

    79373831f69ea93aa755be4ecece1d77d4d9606cc54f489c8ea9141057f4ef52fdf9531668196e73d15f96ab3f6aee64804d8f0e0d66f06158b80c515a633304

  • SSDEEP

    6144:xKZp3KNjVGvYMPXyX7MGoFlNWeqm7GGJWnA:xCxKNjcHPyYD/We28qA

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 9 IoCs
  • Drops file in System32 directory 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\893913ff4387fefdd328d30c720c9b30ea7b34fb3c3d481cfba2791f2ade6a38N.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1192
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\893913ff4387fefdd328d30c720c9b30ea7b34fb3c3d481cfba2791f2ade6a38N.dll,#1
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1800
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2156
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 92
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:2548

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • \Windows\SysWOW64\rundll32mgr.exe

          Filesize

          121KB

          MD5

          a93af43a801ff05f44ff97cb95cd886c

          SHA1

          7b19ee2905cc330bda0dfa0fb089085ebaacf5e3

          SHA256

          50063bef074ba3c8708974907de35e78f60471f167f0934fa579a03d7ddef779

          SHA512

          5620ee938a3a60bd63eb6df36f74e0e67d9fb881ab787d917db0a84e0e3741627105da957a4e45ab3056620717315566dd3a5641118be4ca6f6a6a6a9f1dbc8d

        • memory/1800-6-0x0000000000170000-0x00000000001A2000-memory.dmp

          Filesize

          200KB

        • memory/1800-3-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/1800-1-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/1800-0-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/2156-12-0x0000000000400000-0x0000000000432000-memory.dmp

          Filesize

          200KB

        • memory/2156-20-0x0000000000400000-0x0000000000432000-memory.dmp

          Filesize

          200KB