b46d57440fa4c6089011d9460c67a196b6cc1bc484860fe7077fad4e9925f1eb

Analysis

max time kernel
140s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-12-2024 03:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AutoPath.dll
Size

585KB
MD5

c3c98a96ea0dc067a99e8849f68acf04
SHA1

39fecda52b89c54eef4d8ca6afd3eba6830ade82
SHA256

2587cea708905b2a03f4dc335a7bccfd30392e6930fc511c812ba817f1c72106
SHA512

85556c0b49ff2f53655f223288421222af80b11e8d222e5f7c7eec732d28a294d649444d7b8c037f8d2c40bcf4e5db72f77bf8a5592820d54b4f6c0283d81386
SSDEEP

12288:eMGd+1VrxqXIxMciB9FhY9ttHCPyZQijOT7Ah7q98aC8w:Ko1V8XIxMci1+9t4yZzjGWaC

Score

5^/10

discovery

Malware Config

Signatures

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\AutoPath.ini	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2852	2680	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 764 wrote to memory of 2680	764	rundll32.exe	31
PID 764 wrote to memory of 2680	764	rundll32.exe	31
PID 764 wrote to memory of 2680	764	rundll32.exe	31
PID 764 wrote to memory of 2680	764	rundll32.exe	31
PID 764 wrote to memory of 2680	764	rundll32.exe	31
PID 764 wrote to memory of 2680	764	rundll32.exe	31
PID 764 wrote to memory of 2680	764	rundll32.exe	31
PID 2680 wrote to memory of 2852	2680	rundll32.exe	32
PID 2680 wrote to memory of 2852	2680	rundll32.exe	32
PID 2680 wrote to memory of 2852	2680	rundll32.exe	32
PID 2680 wrote to memory of 2852	2680	rundll32.exe	32

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\AutoPath.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:764
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\AutoPath.dll,#1
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 232
    3⤵
    - Program crash
    PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\AutoPath.ini

Filesize
308B

MD5
24fef7f8afa1a6f6abef0b06b6d0ca59

SHA1
f384d7314fddd0d138efa6d49ee646a056e6c907

SHA256
2bae8ba4cb896465a76678048d7d9803e1089861743793bb89479de44a182713

SHA512
7805b91df1c61a2cb4a79c7a8ec5319bdf56970ad38499b141179ca8f959a2428bd6c3996fde16afe171ff0e0a3fadbe7784da1a50400bc6fafaedb37356bd2c

Download Submit
C:\Windows\SysWOW64\AutoPath.ini

Filesize
175B

MD5
390e4fa3b831c74563ff38785b7fbccd

SHA1
03f21e0d6ebad87d9475ca173f7555ce7fb864f7

SHA256
fddbc7d8408702e988cf6e291c8d239eaeb38df2c7752828d8894454c36b3c46

SHA512
826fc5ca459cb83dd12659101b630f03129364e575b88588aa3dc0a5014f6637461f118d6852ac49e34307eaef489e257aa766c07e1b1b597007e29550ad76d7

Download Submit
memory/2680-34-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2680-33-0x0000000000435000-0x000000000047E000-memory.dmp

Filesize
292KB

Download
memory/2680-35-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2680-37-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download