2e7397a7fe7a8faa157f2b256ed3ac6d4e31ddfeb2a426b29eef62730d5ee08b

Analysis

max time kernel
120s
max time network
18s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
26-12-2024 01:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e7397a7fe7a8faa157f2b256ed3ac6d4e31ddfeb2a426b29eef62730d5ee08bN.dll
Size

220KB
MD5

af6b596b47610cc81d06e61ff6d47790
SHA1

3bdf185f92f712057ef6f90291844603389ebbfb
SHA256

2e7397a7fe7a8faa157f2b256ed3ac6d4e31ddfeb2a426b29eef62730d5ee08b
SHA512

44a2d9e020903fae9569bc470450e59e88eabd8b3ebcec6764635a756c8d6bcaac714daf7c006a8b7ad2c11b8bc39784a1f8cbf483f3aada5e82aeb3be0e0662
SSDEEP

3072:QgKKuiX63bw5dNjDh8pWVgTlFIYnT1rXk1LGYrM/OkiHfnN:BKZp3KNjVGvRr+LGJ/OkGfN

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2408	rundll32mgr.exe

Loads dropped DLL 9 IoCs

pid	Process
2324	rundll32.exe
2324	rundll32.exe
2076	WerFault.exe
2076	WerFault.exe
2076	WerFault.exe
2076	WerFault.exe
2076	WerFault.exe
2076	WerFault.exe
2076	WerFault.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process
2076	2408	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32mgr.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2324	2240	rundll32.exe	30
PID 2240 wrote to memory of 2324	2240	rundll32.exe	30
PID 2240 wrote to memory of 2324	2240	rundll32.exe	30
PID 2240 wrote to memory of 2324	2240	rundll32.exe	30
PID 2240 wrote to memory of 2324	2240	rundll32.exe	30
PID 2240 wrote to memory of 2324	2240	rundll32.exe	30
PID 2240 wrote to memory of 2324	2240	rundll32.exe	30
PID 2324 wrote to memory of 2408	2324	rundll32.exe	31
PID 2324 wrote to memory of 2408	2324	rundll32.exe	31
PID 2324 wrote to memory of 2408	2324	rundll32.exe	31
PID 2324 wrote to memory of 2408	2324	rundll32.exe	31
PID 2408 wrote to memory of 2076	2408	rundll32mgr.exe	32
PID 2408 wrote to memory of 2076	2408	rundll32mgr.exe	32
PID 2408 wrote to memory of 2076	2408	rundll32mgr.exe	32
PID 2408 wrote to memory of 2076	2408	rundll32mgr.exe	32

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2e7397a7fe7a8faa157f2b256ed3ac6d4e31ddfeb2a426b29eef62730d5ee08bN.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\2e7397a7fe7a8faa157f2b256ed3ac6d4e31ddfeb2a426b29eef62730d5ee08bN.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2408
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 100
      4⤵
      Loads dropped DLL
      Program crash
      PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
103KB

MD5
424873689d318369e458684a7d47bf18

SHA1
cc85aecf385fa222d3073d2aa53dcd0b3eb62068

SHA256
04a22ca7674eedef61f9dac1dd7ad08460ff0c0d4e71ba34aa2469bebec8029c

SHA512
53e67ebd100ade88ce81477eaf54b0592da0feb461c8e63cb46420a82d3d26bac93eb75455fd745d3277a31f9d6841f356267b685fb55fe4236833a0e79bef8f

Download Submit
memory/2324-7-0x0000000010000000-0x0000000010039000-memory.dmp

Filesize
228KB

Download
memory/2324-10-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2324-8-0x0000000010000000-0x0000000010039000-memory.dmp

Filesize
228KB

Download
memory/2324-12-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2408-11-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download