3269f09d521fb3d0a5541f9f3413cccf470adce0555da3783f05b3e855c811f8

Analysis

max time kernel
15s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26/12/2024, 04:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3269f09d521fb3d0a5541f9f3413cccf470adce0555da3783f05b3e855c811f8.dll
Size

1.2MB
MD5

4e5d68b90c246c12c1f703478e30d099
SHA1

49a00b9e131ff05157e4715f156d08f5e7fa38c3
SHA256

3269f09d521fb3d0a5541f9f3413cccf470adce0555da3783f05b3e855c811f8
SHA512

6cb4b82aa6f76f7e1e742631e2445fb4fc1daede1a77ac08e2eb3efd6ee9c5772506e8ada4a34590b6cae5fafe994bc0d2e8e1fd1b2ca0bb8db2d08aec184dbf
SSDEEP

12288:v9g8GZHpzAac5naAd25L5O+FQ7lW8lZ60ICPxaf6og38BfSH6gqrandxT+is3pjB:v68+O6pvbt/wuzTB2OF8gnV

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2724	rundll32mgr.exe

Loads dropped DLL 9 IoCs

pid	Process
1816	rundll32.exe
1816	rundll32.exe
1120	WerFault.exe
1120	WerFault.exe
1120	WerFault.exe
1120	WerFault.exe
1120	WerFault.exe
1120	WerFault.exe
1120	WerFault.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1120	2724	WerFault.exe
2920	1816	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32mgr.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 1816	1712	rundll32.exe	30
PID 1712 wrote to memory of 1816	1712	rundll32.exe	30
PID 1712 wrote to memory of 1816	1712	rundll32.exe	30
PID 1712 wrote to memory of 1816	1712	rundll32.exe	30
PID 1712 wrote to memory of 1816	1712	rundll32.exe	30
PID 1712 wrote to memory of 1816	1712	rundll32.exe	30
PID 1712 wrote to memory of 1816	1712	rundll32.exe	30
PID 1816 wrote to memory of 2724	1816	rundll32.exe	31
PID 1816 wrote to memory of 2724	1816	rundll32.exe	31
PID 1816 wrote to memory of 2724	1816	rundll32.exe	31
PID 1816 wrote to memory of 2724	1816	rundll32.exe	31
PID 2724 wrote to memory of 1120	2724	rundll32mgr.exe	33
PID 2724 wrote to memory of 1120	2724	rundll32mgr.exe	33
PID 2724 wrote to memory of 1120	2724	rundll32mgr.exe	33
PID 2724 wrote to memory of 1120	2724	rundll32mgr.exe	33
PID 1816 wrote to memory of 2920	1816	rundll32.exe	32
PID 1816 wrote to memory of 2920	1816	rundll32.exe	32
PID 1816 wrote to memory of 2920	1816	rundll32.exe	32
PID 1816 wrote to memory of 2920	1816	rundll32.exe	32

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3269f09d521fb3d0a5541f9f3413cccf470adce0555da3783f05b3e855c811f8.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\3269f09d521fb3d0a5541f9f3413cccf470adce0555da3783f05b3e855c811f8.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1816
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 100
      4⤵
      Loads dropped DLL
      Program crash
      PID:1120
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 228
    3⤵
    - Program crash
    PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\rundll32mgr.exe

Filesize
60KB

MD5
9da34792f12bfb224d0b0d16f9f62292

SHA1
da65efc75ff8be031bac9ba02eda64597f657c52

SHA256
a434a29856702b0daa752fac298e3b27e08016ca210e9eefc1431957a9e20334

SHA512
6af27047219bf6e0ede8877df56576109e50973f66d704bd1a923a8fde9bc29d7ef929576ad24e19cf82a5ae4a550a36ead42a1e0deb23f41954cbaae2724a9c

Download Submit
memory/1816-0-0x0000000010000000-0x000000001013A000-memory.dmp

Filesize
1.2MB

Download
memory/1816-2-0x0000000010000000-0x000000001013A000-memory.dmp

Filesize
1.2MB

Download
memory/1816-17-0x0000000010000000-0x000000001013A000-memory.dmp

Filesize
1.2MB

Download