3d7d2fbff056715df82ff6087da813f9eab7626231db45788506896fa399ca44

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
26-12-2024 21:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

App/UltraISO/lame_enc.dll
Size

962KB
MD5

b9e34ae6d6ecb1e19b36dc70e7ef406c
SHA1

014985ed2dab57e606e08788fc9177220dd2aed1
SHA256

3b8817fad300fd729d28ca4895d9fb131cf64e699fe5de658ae44c6d056dace4
SHA512

d2360eb205a7f8feb9d45237f0190ef3b2444b22225bead9eedfe5301cac0601741a7d849033d3b2b5cd2a39496edc86e1d4d4444110bafefcf4a8922c6bbff2
SSDEEP

12288:P2ezAN6FpYQSzclODziLQEkkDHFb1aWGssVvVmPUwV+SiRm7rhjN:PhAgFptPlqmPDHJ1apVdYUy+jRmXD

Score

3^/10

discovery

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2208	2184	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 824 wrote to memory of 2184	824	rundll32.exe	31
PID 824 wrote to memory of 2184	824	rundll32.exe	31
PID 824 wrote to memory of 2184	824	rundll32.exe	31
PID 824 wrote to memory of 2184	824	rundll32.exe	31
PID 824 wrote to memory of 2184	824	rundll32.exe	31
PID 824 wrote to memory of 2184	824	rundll32.exe	31
PID 824 wrote to memory of 2184	824	rundll32.exe	31
PID 2184 wrote to memory of 2208	2184	rundll32.exe	32
PID 2184 wrote to memory of 2208	2184	rundll32.exe	32
PID 2184 wrote to memory of 2208	2184	rundll32.exe	32
PID 2184 wrote to memory of 2208	2184	rundll32.exe	32

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\App\UltraISO\lame_enc.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:824
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\App\UltraISO\lame_enc.dll,#1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 220
    3⤵
    - Program crash
    PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads