ebf193727453354bde7b58568a82f497806b57b242a54ff67a34929fcc4abd38

Analysis

max time kernel
121s
max time network
129s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-11-2024 11:07

Target

ebf193727453354bde7b58568a82f497806b57b242a54ff67a34929fcc4abd38.dll
Size

8KB
MD5

1c5cd2fa37d8eee2ddd880254f07875f
SHA1

63e7a0916961a1cc8f61d236eb5c28c7adad0c7a
SHA256

ebf193727453354bde7b58568a82f497806b57b242a54ff67a34929fcc4abd38
SHA512

e91f22985238055c7ecc2e72b7fc094fa8777500b6db8287afa33ef911b550fbfa0eb65ae9485232756b66abdf62a09e8e16a9d4898039601aa58236f1fd71a6
SSDEEP

192:xh4SFyvWohE5xf6YUBSL63SUJqtMblWN:xO+ohE2B13NJqtM

Score

5^/10

discovery

Drops file in System32 directory 2 IoCs

Processes:

rundll32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\satornas.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

rundll32.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1928 wrote to memory of 2248	1928	rundll32.exe	rundll32.exe
PID 1928 wrote to memory of 2248	1928	rundll32.exe	rundll32.exe
PID 1928 wrote to memory of 2248	1928	rundll32.exe	rundll32.exe
PID 1928 wrote to memory of 2248	1928	rundll32.exe	rundll32.exe
PID 1928 wrote to memory of 2248	1928	rundll32.exe	rundll32.exe
PID 1928 wrote to memory of 2248	1928	rundll32.exe	rundll32.exe
PID 1928 wrote to memory of 2248	1928	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ebf193727453354bde7b58568a82f497806b57b242a54ff67a34929fcc4abd38.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\ebf193727453354bde7b58568a82f497806b57b242a54ff67a34929fcc4abd38.dll,#1
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:2248

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/2248-2-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2248-1-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2248-0-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download