badd24bd6383a7e823ec812a704a983dbd255c0ec969a2be228b24c27f0ac7df

Analysis

max time kernel
120s
max time network
18s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
26/12/2024, 05:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

badd24bd6383a7e823ec812a704a983dbd255c0ec969a2be228b24c27f0ac7dfN.dll
Size

1.2MB
MD5

a3b4fca3c9909a13d22aaabc72e62390
SHA1

3bd9776dba676d1fa7ea5f5df336293cabea9870
SHA256

badd24bd6383a7e823ec812a704a983dbd255c0ec969a2be228b24c27f0ac7df
SHA512

ad9022e6a379b3faaa7d4f427cf121e2979607596ad7ce41d4329750a3e3705fee6f3cd0909d17ccedcf4a26a9220448d151d27710943f2561bc9da388b849a1
SSDEEP

12288:v9g8GZHpzAac5naAd25L5O+FQ7lW8lZ60ICPxaf6og38BfSH6gqrandxT+is3pjD:v68+O6pvbt/wuzTB2OF8gnf

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2384	rundll32mgr.exe

Loads dropped DLL 9 IoCs

pid	Process
2308	rundll32.exe
2308	rundll32.exe
1104	WerFault.exe
1104	WerFault.exe
1104	WerFault.exe
1104	WerFault.exe
1104	WerFault.exe
1104	WerFault.exe
1104	WerFault.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1104	2384	WerFault.exe	31
3044	2308	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32mgr.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2308	2188	rundll32.exe	30
PID 2188 wrote to memory of 2308	2188	rundll32.exe	30
PID 2188 wrote to memory of 2308	2188	rundll32.exe	30
PID 2188 wrote to memory of 2308	2188	rundll32.exe	30
PID 2188 wrote to memory of 2308	2188	rundll32.exe	30
PID 2188 wrote to memory of 2308	2188	rundll32.exe	30
PID 2188 wrote to memory of 2308	2188	rundll32.exe	30
PID 2308 wrote to memory of 2384	2308	rundll32.exe	31
PID 2308 wrote to memory of 2384	2308	rundll32.exe	31
PID 2308 wrote to memory of 2384	2308	rundll32.exe	31
PID 2308 wrote to memory of 2384	2308	rundll32.exe	31
PID 2384 wrote to memory of 1104	2384	rundll32mgr.exe	32
PID 2384 wrote to memory of 1104	2384	rundll32mgr.exe	32
PID 2384 wrote to memory of 1104	2384	rundll32mgr.exe	32
PID 2384 wrote to memory of 1104	2384	rundll32mgr.exe	32
PID 2308 wrote to memory of 3044	2308	rundll32.exe	33
PID 2308 wrote to memory of 3044	2308	rundll32.exe	33
PID 2308 wrote to memory of 3044	2308	rundll32.exe	33
PID 2308 wrote to memory of 3044	2308	rundll32.exe	33

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\badd24bd6383a7e823ec812a704a983dbd255c0ec969a2be228b24c27f0ac7dfN.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\badd24bd6383a7e823ec812a704a983dbd255c0ec969a2be228b24c27f0ac7dfN.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2384
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 100
      4⤵
      Loads dropped DLL
      Program crash
      PID:1104
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 232
    3⤵
    - Program crash
    PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\rundll32mgr.exe

Filesize
60KB

MD5
9da34792f12bfb224d0b0d16f9f62292

SHA1
da65efc75ff8be031bac9ba02eda64597f657c52

SHA256
a434a29856702b0daa752fac298e3b27e08016ca210e9eefc1431957a9e20334

SHA512
6af27047219bf6e0ede8877df56576109e50973f66d704bd1a923a8fde9bc29d7ef929576ad24e19cf82a5ae4a550a36ead42a1e0deb23f41954cbaae2724a9c

Download Submit
memory/2308-9-0x0000000010000000-0x000000001013A000-memory.dmp

Filesize
1.2MB

Download
memory/2308-5-0x0000000010000000-0x000000001013A000-memory.dmp

Filesize
1.2MB

Download