06b141da308fca09fab26963c3bb1ae851cf941b9dcfa269c5c640ef28f55fd7

Analysis

max time kernel
137s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-11-2024 12:11

Target

$PLUGINSDIR/lfpnfont.dll
Size

20KB
MD5

fa424f9b0c98afafb0671959f35139fb
SHA1

25f5c5139e5248c85f122eb42cdafc2d974d507a
SHA256

969d24cf93578bfd20c823ef79580dd61e007b00023fad94238e3e2e4bd5a479
SHA512

9176814ef19f8a1da11007b6d9c264308fae22905401f383bf516507bd6e210164644d588be177ea5c04667eeae520abfb4a0646a084f480c99bc433445f03e1
SSDEEP

192:Fn1UP8lpn1nw8GUQ2963lfaLb7J24PiUr249D78L70fI6Yt00R5/dGvBPMGxWs:F1UPep1wxyeaH7ooc70fI670FexW

Score

3^/10

discovery

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

rundll32.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2304 wrote to memory of 4284	2304	rundll32.exe	rundll32.exe
PID 2304 wrote to memory of 4284	2304	rundll32.exe	rundll32.exe
PID 2304 wrote to memory of 4284	2304	rundll32.exe	rundll32.exe
PID 4284 wrote to memory of 3416	4284	rundll32.exe	rundll32.exe
PID 4284 wrote to memory of 3416	4284	rundll32.exe	rundll32.exe
PID 4284 wrote to memory of 3416	4284	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\lfpnfont.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\lfpnfont.dll,#1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4284
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\lfpnfont.dll,#1
    3⤵
    PID:3416

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/4284-0-0x0000000075745000-0x0000000075747000-memory.dmp

Filesize
8KB

Download