bc64b62e9f5a19f3a271df84b0900cbbcbb091a62ab0c5979ba486e606c1ac3d

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
12-11-2024 02:38

Target

bc64b62e9f5a19f3a271df84b0900cbbcbb091a62ab0c5979ba486e606c1ac3d.dll
Size

137KB
MD5

f2e82417b3170ec8332b2af7dd980e64
SHA1

bbcbcb9e1c07b8647ff54a4c197df135f78844cd
SHA256

bc64b62e9f5a19f3a271df84b0900cbbcbb091a62ab0c5979ba486e606c1ac3d
SHA512

1dff08870a3c28ed5cffbc6cd14e1f5e4a91a77db7452d8b78e16b3ba9684c228988ebac2fc12477e835adce4960f1db9c139913474a0a4458afbcccafedf2b8
SSDEEP

3072:NR02WMK8RJGInTlhnaBanONVk40rpg4yeF/TyUGSK9FrafcUksPxx6iTUuz:A25GgFny61mraZ

Score

3^/10

discovery

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2540 2024 WerFault.exe rundll32.exe
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

rundll32.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe

pid	pid_target	process	target process
2540	2024	WerFault.exe	rundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1236 wrote to memory of 2024	1236	rundll32.exe	rundll32.exe
PID 1236 wrote to memory of 2024	1236	rundll32.exe	rundll32.exe
PID 1236 wrote to memory of 2024	1236	rundll32.exe	rundll32.exe
PID 1236 wrote to memory of 2024	1236	rundll32.exe	rundll32.exe
PID 1236 wrote to memory of 2024	1236	rundll32.exe	rundll32.exe
PID 1236 wrote to memory of 2024	1236	rundll32.exe	rundll32.exe
PID 1236 wrote to memory of 2024	1236	rundll32.exe	rundll32.exe
PID 2024 wrote to memory of 2540	2024	rundll32.exe	WerFault.exe
PID 2024 wrote to memory of 2540	2024	rundll32.exe	WerFault.exe
PID 2024 wrote to memory of 2540	2024	rundll32.exe	WerFault.exe
PID 2024 wrote to memory of 2540	2024	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bc64b62e9f5a19f3a271df84b0900cbbcbb091a62ab0c5979ba486e606c1ac3d.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1236
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\bc64b62e9f5a19f3a271df84b0900cbbcbb091a62ab0c5979ba486e606c1ac3d.dll,#1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 228
    3⤵
    - Program crash
    PID:2540

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/2024-0-0x0000000043E50000-0x0000000043E77000-memory.dmp

Filesize
156KB

Download