Analysis

  • max time kernel
    70s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19-12-2024 01:41

General

  • Target

    46dc3fd59d5ddea1430ebc0f156920bf657e16e47ded79368c5b8985442b4ae8N.dll

  • Size

    444KB

  • MD5

    b4aeda6e33b22221e1fb077eae961960

  • SHA1

    3db02fd2ef363f9344672ae7c4f5139a8c7eee36

  • SHA256

    46dc3fd59d5ddea1430ebc0f156920bf657e16e47ded79368c5b8985442b4ae8

  • SHA512

    373b1a5bdd6ac24b9d601de40c93b583a734c771576a6741519faba1f81b40f366b79a4389ad2cb73e4cf02b55b1e67709fa0f2a27caae26fc6f554d1ab3e618

  • SSDEEP

    12288:iehnaNPpSVZmNxRCwnwm3W3OHIIf5amBUFCWi2:ieh0PpS6NxNnwYeOHX1UgH2

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 9 IoCs
  • Drops file in System32 directory 1 IoCs
  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\46dc3fd59d5ddea1430ebc0f156920bf657e16e47ded79368c5b8985442b4ae8N.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1840
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\46dc3fd59d5ddea1430ebc0f156920bf657e16e47ded79368c5b8985442b4ae8N.dll,#1
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2140
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2196
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 100
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:2868
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 224
        3⤵
        • Program crash
        PID:2852

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Windows\SysWOW64\rundll32mgr.exe

    Filesize

    60KB

    MD5

    94f2f6ffbba8e7644668b51b39983916

    SHA1

    63357bbdf90101969117983dbc0d4ed0e713c4d7

    SHA256

    ede7603855cb37082c241c720a6650988c684eb3bcb263e5dd7b457458940fed

    SHA512

    d04430ceac70c6fa71d07d9ee82ac2bb5e6c0641d5c9e7e5a3ed39d342e8b198f367676516a55f0653e0b88635a027b9ad220e223145b8be8df281bb6faf7156

  • memory/2140-0-0x0000000010000000-0x0000000010071000-memory.dmp

    Filesize

    452KB

  • memory/2140-2-0x0000000010000000-0x0000000010071000-memory.dmp

    Filesize

    452KB

  • memory/2140-17-0x0000000010000000-0x0000000010071000-memory.dmp

    Filesize

    452KB