ae21d1625a332105fa099e45f15945dcfbd0e088bc357398c5b9036be80c8b9e

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
15-11-2024 07:54

Target

re86x.dll
Size

177.8MB
MD5

a17f011e58699c816cb3511fc14a5e3d
SHA1

4a69475a7d523239f61d2fca759c35776d256eb0
SHA256

be3283d6c64766a6d950a93f42164e82f93d30409697a693a7a6d8759935abdd
SHA512

c5d1864bae174a523bc52026107f05de00f64401ea1a0bd037ea4eedba9abcace1e17381b3f33ced4e7ee8d54bba1b9b184750883c3a2a9feacf1dcb8ad62157
SSDEEP

24576:VJ1jpSL+6UfDq80kdLx5IyYIfNvLw94Sx7aPuIaWutQrXttq89PZV53rnN7rjRLT:P1jpKNUfDq80kdDIyYIxa4Sx7aP

Score

3^/10

discovery

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2592 2628 WerFault.exe rundll32.exe
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

rundll32.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe

pid	pid_target	process	target process
2592	2628	WerFault.exe	rundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1524 wrote to memory of 2628	1524	rundll32.exe	rundll32.exe
PID 1524 wrote to memory of 2628	1524	rundll32.exe	rundll32.exe
PID 1524 wrote to memory of 2628	1524	rundll32.exe	rundll32.exe
PID 1524 wrote to memory of 2628	1524	rundll32.exe	rundll32.exe
PID 1524 wrote to memory of 2628	1524	rundll32.exe	rundll32.exe
PID 1524 wrote to memory of 2628	1524	rundll32.exe	rundll32.exe
PID 1524 wrote to memory of 2628	1524	rundll32.exe	rundll32.exe
PID 2628 wrote to memory of 2592	2628	rundll32.exe	WerFault.exe
PID 2628 wrote to memory of 2592	2628	rundll32.exe	WerFault.exe
PID 2628 wrote to memory of 2592	2628	rundll32.exe	WerFault.exe
PID 2628 wrote to memory of 2592	2628	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\re86x.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\re86x.dll,#1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 284
    3⤵
    - Program crash
    PID:2592

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/2628-0-0x0000000074690000-0x000000007485C000-memory.dmp

Filesize
1.8MB

Download