ca4994d8a0dbdbc32bf29555473890fd6d535df4e88f8da49182e9ed3eb2cf14

General

Target

ca4994d8a0dbdbc32bf29555473890fd6d535df4e88f8da49182e9ed3eb2cf14N.dll
Size

2.4MB
MD5

ddb05b30f69ee2ff53771593bdc89540
SHA1

3dbbd00f62b85ff26a3e18d680b6687e195858c2
SHA256

ca4994d8a0dbdbc32bf29555473890fd6d535df4e88f8da49182e9ed3eb2cf14
SHA512

f5198a920d891ccdca4383a5b76b107ec7a304c54421add960f35d35b05063342a5476e56e5d4016433212827a21142fd3b6b1b8ad13f7f21ef0d33c7198bd72
SSDEEP

49152:xU3U+ZYmxjpv7x4GFM/+b8dTMNh9Wr73h7NXSWEqNJO5hYTVMCRisKEbzc:xiU2YmxjpDx4Zo8dYNh9q73h7NXYkRil

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2824	rundll32mgr.exe
2192	rundll32mgrmgr.exe

Loads dropped DLL 18 IoCs

pid	Process
2764	rundll32.exe
2764	rundll32.exe
2824	rundll32mgr.exe
2824	rundll32mgr.exe
2220	WerFault.exe
2220	WerFault.exe
2220	WerFault.exe
2220	WerFault.exe
2220	WerFault.exe
2220	WerFault.exe
2560	WerFault.exe
2560	WerFault.exe
2560	WerFault.exe
2560	WerFault.exe
2560	WerFault.exe
2560	WerFault.exe
2220	WerFault.exe
2560	WerFault.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe
File created	C:\Windows\SysWOW64\rundll32mgrmgr.exe	rundll32mgr.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2560	2192	WerFault.exe	33
2160	2764	WerFault.exe	31
2220	2824	WerFault.exe	32

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32mgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32mgrmgr.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 2764	2652	rundll32.exe	31
PID 2652 wrote to memory of 2764	2652	rundll32.exe	31
PID 2652 wrote to memory of 2764	2652	rundll32.exe	31
PID 2652 wrote to memory of 2764	2652	rundll32.exe	31
PID 2652 wrote to memory of 2764	2652	rundll32.exe	31
PID 2652 wrote to memory of 2764	2652	rundll32.exe	31
PID 2652 wrote to memory of 2764	2652	rundll32.exe	31
PID 2764 wrote to memory of 2824	2764	rundll32.exe	32
PID 2764 wrote to memory of 2824	2764	rundll32.exe	32
PID 2764 wrote to memory of 2824	2764	rundll32.exe	32
PID 2764 wrote to memory of 2824	2764	rundll32.exe	32
PID 2824 wrote to memory of 2192	2824	rundll32mgr.exe	33
PID 2824 wrote to memory of 2192	2824	rundll32mgr.exe	33
PID 2824 wrote to memory of 2192	2824	rundll32mgr.exe	33
PID 2824 wrote to memory of 2192	2824	rundll32mgr.exe	33
PID 2824 wrote to memory of 2220	2824	rundll32mgr.exe	34
PID 2824 wrote to memory of 2220	2824	rundll32mgr.exe	34
PID 2824 wrote to memory of 2220	2824	rundll32mgr.exe	34
PID 2824 wrote to memory of 2220	2824	rundll32mgr.exe	34
PID 2764 wrote to memory of 2160	2764	rundll32.exe	35
PID 2764 wrote to memory of 2160	2764	rundll32.exe	35
PID 2764 wrote to memory of 2160	2764	rundll32.exe	35
PID 2764 wrote to memory of 2160	2764	rundll32.exe	35
PID 2192 wrote to memory of 2560	2192	rundll32mgrmgr.exe	36
PID 2192 wrote to memory of 2560	2192	rundll32mgrmgr.exe	36
PID 2192 wrote to memory of 2560	2192	rundll32mgrmgr.exe	36
PID 2192 wrote to memory of 2560	2192	rundll32mgrmgr.exe	36

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ca4994d8a0dbdbc32bf29555473890fd6d535df4e88f8da49182e9ed3eb2cf14N.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\ca4994d8a0dbdbc32bf29555473890fd6d535df4e88f8da49182e9ed3eb2cf14N.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Windows\SysWOW64\rundll32mgrmgr.exe
      C:\Windows\SysWOW64\rundll32mgrmgr.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2192
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 156
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2560
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 152
      4⤵
      Loads dropped DLL
      Program crash
      PID:2220
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 228
    3⤵
    - Program crash
    PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
233KB

MD5
7816267b885055210f56ea4fa2b6df2a

SHA1
9dffc3317e685cc65f3d458799ca7c36e4966a09

SHA256
bcd868b32cb2e9954cbca19e2348653fa9cd5ad52b933c9a871dca6341733311

SHA512
14c9d98ef827a5df6d99f4678d392da634a7200997b775f713d6f418f32ce2ae01197a6ef9003b6a52e11a539e32402edd9a9129a330523ae4b8d78f423050dc

Download Submit
C:\Windows\SysWOW64\rundll32mgrmgr.exe

Filesize
115KB

MD5
42772a782bb1c6444f6e4d4b5c51bed9

SHA1
57663c9f055ffc52d46b4dd2a91ffa8c191be33b

SHA256
aac7bc007ae051fb71fb735ad4e92a6be8ec48ade1a3bf3b40746949a4dfd125

SHA512
cb7cd3b5f18f1834b6eccf5be5858614b154ae8d146aa746dddc74bea14c7daf4a7833d3a9ed4f0d32c9821d85901f74a367a830d3b7f0bf379fa1fdd5fae6cf

Download Submit
memory/2192-23-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2764-1-0x0000000008000000-0x0000000008276000-memory.dmp

Filesize
2.5MB

Download
memory/2764-8-0x0000000008000000-0x0000000008276000-memory.dmp

Filesize
2.5MB

Download
memory/2764-18-0x00000000000F0000-0x0000000000146000-memory.dmp

Filesize
344KB

Download
memory/2764-17-0x0000000008000000-0x0000000008276000-memory.dmp

Filesize
2.5MB

Download
memory/2764-21-0x0000000008000000-0x0000000008276000-memory.dmp

Filesize
2.5MB

Download
memory/2824-19-0x00000000000B0000-0x00000000000E8000-memory.dmp

Filesize
224KB

Download
memory/2824-22-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download

Analysis

Sharing