48f46e7c4fe2747a2856fb259a0a6e9e1f30aab012d77d0b882b674fbfe1f972

Analysis

max time kernel
132s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-11-2024 06:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48f46e7c4fe2747a2856fb259a0a6e9e1f30aab012d77d0b882b674fbfe1f972.dll
Size

120KB
MD5

51a0669f51cbaac9392595ff9f469402
SHA1

78d48a5f127aebb8f5a62648071904a3177eb155
SHA256

48f46e7c4fe2747a2856fb259a0a6e9e1f30aab012d77d0b882b674fbfe1f972
SHA512

c978e9b9857e162e8535b9e4a7d84b43bdc989b6d6fbf90fde490ac7b328dd5889103ce41e39a19f42b5f71725975e1a2591629e213b44d79939f81fc4723463
SSDEEP

3072:qp5W6jCc+NE5Tii8QiehlevFuyGDvcNU4:qaEO5i8QPhl+FeD0

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

e577c83.exee5797fa.exe

pid process

3636 e577c83.exe
364 e5797fa.exe

pid	process
3636	e577c83.exe
364	e5797fa.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

rundll32.exee577c83.exee5797fa.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e577c83.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e5797fa.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 708 wrote to memory of 3500	708	rundll32.exe	rundll32.exe
PID 708 wrote to memory of 3500	708	rundll32.exe	rundll32.exe
PID 708 wrote to memory of 3500	708	rundll32.exe	rundll32.exe
PID 3500 wrote to memory of 3636	3500	rundll32.exe	e577c83.exe
PID 3500 wrote to memory of 3636	3500	rundll32.exe	e577c83.exe
PID 3500 wrote to memory of 3636	3500	rundll32.exe	e577c83.exe
PID 3500 wrote to memory of 364	3500	rundll32.exe	e5797fa.exe
PID 3500 wrote to memory of 364	3500	rundll32.exe	e5797fa.exe
PID 3500 wrote to memory of 364	3500	rundll32.exe	e5797fa.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\48f46e7c4fe2747a2856fb259a0a6e9e1f30aab012d77d0b882b674fbfe1f972.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:708

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\48f46e7c4fe2747a2856fb259a0a6e9e1f30aab012d77d0b882b674fbfe1f972.dll,#1
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3500

C:\Users\Admin\AppData\Local\Temp\e577c83.exe
C:\Users\Admin\AppData\Local\Temp\e577c83.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3636

C:\Users\Admin\AppData\Local\Temp\e5797fa.exe
C:\Users\Admin\AppData\Local\Temp\e5797fa.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e577c83.exe

Filesize
97KB

MD5
9350cf973c8b7bd0152a065d6355ffa4

SHA1
233e62631df6cad8c9e2e147c7b9fe9623f3ec54

SHA256
21c9a855472a3a72aa7b5ae9bef3a5adac603f5f0d5276ef7c9633f0483a6c21

SHA512
43315f7d9e802317a366de3c2a2becb14de6e1b26514e0fd8e59b8d67c8963eee7f18673a956be38951d852f8cf1c98a49b499e953d8a94dd0dec5e79db3905f

Download Submit
memory/3500-0-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/3636-6-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3636-4-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download