115b3ecabcad34213c2392e2918daa5b41a77c55d6efd5df2d33462e6054174e

General

Target

115b3ecabcad34213c2392e2918daa5b41a77c55d6efd5df2d33462e6054174e.dll
Size

456KB
MD5

0e75ff88cda6b552dbd7c823511e5adc
SHA1

c9cbbec555e7ebadfd3bbe059648dd0faf9a8e16
SHA256

115b3ecabcad34213c2392e2918daa5b41a77c55d6efd5df2d33462e6054174e
SHA512

5cd3959f2aff978c16c30d8a7134cbf5535084705e315dcc5975d223a1104bf003c9be4801743f31773920bd0963734a285274942a020efb449fb76850ef6e66
SSDEEP

12288:5n2QK/lGRgOUqmq9kR6lhKXPqljtOBZh+axlQP:5n2QK/cRgOnmq9g6uqKLh+emP

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2108	rundll32mgr.exe
1348	hrl9FBA.tmp
1712	dipzew.exe

Loads dropped DLL 1 IoCs

pid	Process
1712	dipzew.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe
File created	C:\Windows\SysWOW64\dipzew.exe	hrl9FBA.tmp
File opened for modification	C:\Windows\SysWOW64\dipzew.exe	hrl9FBA.tmp
File created	C:\Windows\SysWOW64\gei33.dll	dipzew.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000c000000023ba0-5.dat	upx
behavioral2/memory/2108-7-0x0000000000400000-0x000000000045B000-memory.dmp	upx

Program crash 1 IoCs

pid	pid_target	Process	procid_target
760	2108	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32mgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hrl9FBA.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dipzew.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4868 wrote to memory of 4976	4868	rundll32.exe	83
PID 4868 wrote to memory of 4976	4868	rundll32.exe	83
PID 4868 wrote to memory of 4976	4868	rundll32.exe	83
PID 4976 wrote to memory of 2108	4976	rundll32.exe	84
PID 4976 wrote to memory of 2108	4976	rundll32.exe	84
PID 4976 wrote to memory of 2108	4976	rundll32.exe	84
PID 4976 wrote to memory of 1348	4976	rundll32.exe	85
PID 4976 wrote to memory of 1348	4976	rundll32.exe	85
PID 4976 wrote to memory of 1348	4976	rundll32.exe	85

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\115b3ecabcad34213c2392e2918daa5b41a77c55d6efd5df2d33462e6054174e.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4868
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\115b3ecabcad34213c2392e2918daa5b41a77c55d6efd5df2d33462e6054174e.dll,#1
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4976
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2108
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 264
      4⤵
      Program crash
      PID:760
- - C:\Users\Admin\AppData\Local\Temp\hrl9FBA.tmp
    C:\Users\Admin\AppData\Local\Temp\hrl9FBA.tmp
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:1348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2108 -ip 2108
1⤵
PID:3732

C:\Windows\SysWOW64\dipzew.exe
C:\Windows\SysWOW64\dipzew.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hrl9FBA.tmp

Filesize
338KB

MD5
9e5a94f2b4b378b2f50805cdd1efe405

SHA1
e56fce2eedf674218165bdf53da7943f47875835

SHA256
0a7ec6b90c8c4842f8348297b3cb61ec0ed4545e6f33a07089c9470ead25570b

SHA512
21d8095183bfbc582a829af2c1f35c07ce2ebb120bece797f6e067f7c69c86beeaf7911f447d33540290504a8ad0318041743ee17ba2df3099b2729841a22827

Download Submit
C:\Windows\SysWOW64\gei33.dll

Filesize
9KB

MD5
655d12e373b5891981111e48da1f0a88

SHA1
db346a8879c226b2a6fb13300a8cccb089326b04

SHA256
3eecef36be5dcb9c81ebbbd2eb0bdcd456d81592673fae46f043d5423b8d7748

SHA512
0a27696905df67638e43ae479e376f89657475675711c9d1b292da629520cc36dfafca12232308b232a7ccc3e9e47b39baf1b9d0b597c8d1c6946aa827aaeeea

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
106KB

MD5
db92102c142a97620d0f02b3321d235b

SHA1
84adf0da0cfa131b61a23cf26719b5d0c75702a9

SHA256
12dc8f962b54cbf925146db55709c9ad8465e392aede3a5095f74e7ca6ade2a5

SHA512
04bbb8ca5e5e63e85da4c4a9de8f46352cb9437005c0cae014da1d61c58916584a284fb7fba21b06f963de440362e150b6f2ef5d69143fd6a187c0712bf28d65

Download Submit
memory/1348-19-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/1348-16-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/1348-11-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1348-25-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/1348-24-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/1348-23-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/1348-22-0x0000000003330000-0x0000000003331000-memory.dmp

Filesize
4KB

Download
memory/1348-21-0x00000000032E0000-0x00000000032E2000-memory.dmp

Filesize
8KB

Download
memory/1348-20-0x00000000032F0000-0x00000000032F1000-memory.dmp

Filesize
4KB

Download
memory/1348-31-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1348-18-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/1348-17-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/1348-15-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/1348-14-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/1348-32-0x00000000021B0000-0x0000000002210000-memory.dmp

Filesize
384KB

Download
memory/1348-12-0x00000000021B0000-0x0000000002210000-memory.dmp

Filesize
384KB

Download
memory/1712-29-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1712-43-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2108-8-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/2108-7-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4976-26-0x0000000010000000-0x0000000010077000-memory.dmp

Filesize
476KB

Download
memory/4976-1-0x0000000010000000-0x0000000010077000-memory.dmp

Filesize
476KB

Download

Analysis

Sharing