0a38dbd78a6aceb3c5f344264189d0a2ecac5d8d1f8c4f570fde7aa886f4efb9

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-12-2024 08:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a38dbd78a6aceb3c5f344264189d0a2ecac5d8d1f8c4f570fde7aa886f4efb9.dll
Size

165KB
MD5

f0bea645dfe0b63cfcdf5c8f51bc44dd
SHA1

82de8ce58da61c8dffff852c4447bf13c2b55216
SHA256

0a38dbd78a6aceb3c5f344264189d0a2ecac5d8d1f8c4f570fde7aa886f4efb9
SHA512

5035aa346c11e636c6a05ac0222d96bf9b8b1d761eca475f3650efe45b27c8f65f0506715158fd82b6e9cee0a7dd3ab2747452800c626a03a9c38e17fba181d5
SSDEEP

3072:BsLXHHf0z4o++2dLy2aOtusyu/T3EcdDZBzgdPrNO/BQGmWsdgGal4:BUPy3Ot7br0cdXgBNO/Cjvau

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4104	rundll32mgr.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4104-4-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/files/0x0009000000023c8b-3.dat	upx
behavioral2/memory/4104-7-0x0000000000400000-0x000000000046A000-memory.dmp	upx

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5020	4104	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32mgr.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4220 wrote to memory of 4936	4220	rundll32.exe	83
PID 4220 wrote to memory of 4936	4220	rundll32.exe	83
PID 4220 wrote to memory of 4936	4220	rundll32.exe	83
PID 4936 wrote to memory of 4104	4936	rundll32.exe	84
PID 4936 wrote to memory of 4104	4936	rundll32.exe	84
PID 4936 wrote to memory of 4104	4936	rundll32.exe	84

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0a38dbd78a6aceb3c5f344264189d0a2ecac5d8d1f8c4f570fde7aa886f4efb9.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4220
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\0a38dbd78a6aceb3c5f344264189d0a2ecac5d8d1f8c4f570fde7aa886f4efb9.dll,#1
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4936
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4104
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 272
      4⤵
      Program crash
      PID:5020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4104 -ip 4104
1⤵
PID:3544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
122KB

MD5
b8e6f2753e6d6063d2ddbe2d0646da3a

SHA1
5ea3ef8fe2bde63b4489417a38985adaf2598ae2

SHA256
a2857d0f4628b42aa99a81cc1aeb7c9c14c5913c9c18f180aaae06a9ea979c12

SHA512
2a9069f8e2925ebc275f09c374b916d3917d6224f55345feb07a2424fc9764b49b5ef3d6ea4558e81d657dbe625c1622fd34041102ad1171901378548513a060

Download Submit
memory/4104-4-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4104-6-0x00000000004C0000-0x00000000004C1000-memory.dmp

Filesize
4KB

Download
memory/4104-7-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4936-0-0x0000000010000000-0x000000001002D000-memory.dmp

Filesize
180KB

Download