Analysis
-
max time kernel
70s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-12-2024 01:41
Static task
static1
Behavioral task
behavioral1
Sample
46dc3fd59d5ddea1430ebc0f156920bf657e16e47ded79368c5b8985442b4ae8N.dll
Resource
win7-20240903-en
General
-
Target
46dc3fd59d5ddea1430ebc0f156920bf657e16e47ded79368c5b8985442b4ae8N.dll
-
Size
444KB
-
MD5
b4aeda6e33b22221e1fb077eae961960
-
SHA1
3db02fd2ef363f9344672ae7c4f5139a8c7eee36
-
SHA256
46dc3fd59d5ddea1430ebc0f156920bf657e16e47ded79368c5b8985442b4ae8
-
SHA512
373b1a5bdd6ac24b9d601de40c93b583a734c771576a6741519faba1f81b40f366b79a4389ad2cb73e4cf02b55b1e67709fa0f2a27caae26fc6f554d1ab3e618
-
SSDEEP
12288:iehnaNPpSVZmNxRCwnwm3W3OHIIf5amBUFCWi2:ieh0PpS6NxNnwYeOHX1UgH2
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2196 rundll32mgr.exe -
Loads dropped DLL 9 IoCs
pid Process 2140 rundll32.exe 2140 rundll32.exe 2868 WerFault.exe 2868 WerFault.exe 2868 WerFault.exe 2868 WerFault.exe 2868 WerFault.exe 2868 WerFault.exe 2868 WerFault.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 2852 2140 WerFault.exe 31 2868 2196 WerFault.exe 32 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32mgr.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 1840 wrote to memory of 2140 1840 rundll32.exe 31 PID 1840 wrote to memory of 2140 1840 rundll32.exe 31 PID 1840 wrote to memory of 2140 1840 rundll32.exe 31 PID 1840 wrote to memory of 2140 1840 rundll32.exe 31 PID 1840 wrote to memory of 2140 1840 rundll32.exe 31 PID 1840 wrote to memory of 2140 1840 rundll32.exe 31 PID 1840 wrote to memory of 2140 1840 rundll32.exe 31 PID 2140 wrote to memory of 2196 2140 rundll32.exe 32 PID 2140 wrote to memory of 2196 2140 rundll32.exe 32 PID 2140 wrote to memory of 2196 2140 rundll32.exe 32 PID 2140 wrote to memory of 2196 2140 rundll32.exe 32 PID 2140 wrote to memory of 2852 2140 rundll32.exe 33 PID 2140 wrote to memory of 2852 2140 rundll32.exe 33 PID 2140 wrote to memory of 2852 2140 rundll32.exe 33 PID 2140 wrote to memory of 2852 2140 rundll32.exe 33 PID 2196 wrote to memory of 2868 2196 rundll32mgr.exe 34 PID 2196 wrote to memory of 2868 2196 rundll32mgr.exe 34 PID 2196 wrote to memory of 2868 2196 rundll32mgr.exe 34 PID 2196 wrote to memory of 2868 2196 rundll32mgr.exe 34
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\46dc3fd59d5ddea1430ebc0f156920bf657e16e47ded79368c5b8985442b4ae8N.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\46dc3fd59d5ddea1430ebc0f156920bf657e16e47ded79368c5b8985442b4ae8N.dll,#12⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 1004⤵
- Loads dropped DLL
- Program crash
PID:2868
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 2243⤵
- Program crash
PID:2852
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD594f2f6ffbba8e7644668b51b39983916
SHA163357bbdf90101969117983dbc0d4ed0e713c4d7
SHA256ede7603855cb37082c241c720a6650988c684eb3bcb263e5dd7b457458940fed
SHA512d04430ceac70c6fa71d07d9ee82ac2bb5e6c0641d5c9e7e5a3ed39d342e8b198f367676516a55f0653e0b88635a027b9ad220e223145b8be8df281bb6faf7156