48f46e7c4fe2747a2856fb259a0a6e9e1f30aab012d77d0b882b674fbfe1f972

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-11-2024 06:30

Target

48f46e7c4fe2747a2856fb259a0a6e9e1f30aab012d77d0b882b674fbfe1f972.dll
Size

120KB
MD5

51a0669f51cbaac9392595ff9f469402
SHA1

78d48a5f127aebb8f5a62648071904a3177eb155
SHA256

48f46e7c4fe2747a2856fb259a0a6e9e1f30aab012d77d0b882b674fbfe1f972
SHA512

c978e9b9857e162e8535b9e4a7d84b43bdc989b6d6fbf90fde490ac7b328dd5889103ce41e39a19f42b5f71725975e1a2591629e213b44d79939f81fc4723463
SSDEEP

3072:qp5W6jCc+NE5Tii8QiehlevFuyGDvcNU4:qaEO5i8QPhl+FeD0

Score

7^/10

discovery

Executes dropped EXE 1 IoCs

Processes:

f76b5f7.exe

pid process

2232 f76b5f7.exe
Loads dropped DLL 2 IoCs

Processes:

rundll32.exe

pid process

2552 rundll32.exe
2552 rundll32.exe
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

rundll32.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe

pid	process
2232	f76b5f7.exe

pid	process
2552	rundll32.exe
2552	rundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2504 wrote to memory of 2552	2504	rundll32.exe	rundll32.exe
PID 2504 wrote to memory of 2552	2504	rundll32.exe	rundll32.exe
PID 2504 wrote to memory of 2552	2504	rundll32.exe	rundll32.exe
PID 2504 wrote to memory of 2552	2504	rundll32.exe	rundll32.exe
PID 2504 wrote to memory of 2552	2504	rundll32.exe	rundll32.exe
PID 2504 wrote to memory of 2552	2504	rundll32.exe	rundll32.exe
PID 2504 wrote to memory of 2552	2504	rundll32.exe	rundll32.exe
PID 2552 wrote to memory of 2232	2552	rundll32.exe	f76b5f7.exe
PID 2552 wrote to memory of 2232	2552	rundll32.exe	f76b5f7.exe
PID 2552 wrote to memory of 2232	2552	rundll32.exe	f76b5f7.exe
PID 2552 wrote to memory of 2232	2552	rundll32.exe	f76b5f7.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\48f46e7c4fe2747a2856fb259a0a6e9e1f30aab012d77d0b882b674fbfe1f972.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2504

C:\Users\Admin\AppData\Local\Temp\f76b5f7.exe
C:\Users\Admin\AppData\Local\Temp\f76b5f7.exe
3⤵
- Executes dropped EXE
PID:2232

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\f76b5f7.exe

Filesize
97KB

MD5
9350cf973c8b7bd0152a065d6355ffa4

SHA1
233e62631df6cad8c9e2e147c7b9fe9623f3ec54

SHA256
21c9a855472a3a72aa7b5ae9bef3a5adac603f5f0d5276ef7c9633f0483a6c21

SHA512
43315f7d9e802317a366de3c2a2becb14de6e1b26514e0fd8e59b8d67c8963eee7f18673a956be38951d852f8cf1c98a49b499e953d8a94dd0dec5e79db3905f

Download Submit
memory/2232-10-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2552-4-0x00000000001D0000-0x00000000001E2000-memory.dmp

Filesize
72KB

Download
memory/2552-1-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2552-11-0x00000000001D0000-0x00000000001E2000-memory.dmp

Filesize
72KB

Download