374464b82b7f2dc1b9a4f98b58c1edd35fd568e31f5dfd3add92badec217c497

General

Target

374464b82b7f2dc1b9a4f98b58c1edd35fd568e31f5dfd3add92badec217c497.dll
Size

1.2MB
MD5

9a27f1f207c3696490f4dd6c85fe9bb4
SHA1

e77b0cc31e13a380671cb559d1d3ed46f26e504d
SHA256

374464b82b7f2dc1b9a4f98b58c1edd35fd568e31f5dfd3add92badec217c497
SHA512

8d74935432aba2b3805e78be9b8352cf3aa642b242f2b4bd4b3c674467afd10b115cb7066495696a71206571774c78b4b5d133aa5c294fa0e86ccb2c5809e3b9
SSDEEP

24576:U8F+Pzr/Hfp4MIYwZckMQmeVgheBvriXRt:U88zrp4MwL7v2

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2784	rundll32mgr.exe
2732	rundll32mgrmgr.exe

Loads dropped DLL 22 IoCs

pid	Process
2680	rundll32.exe
2680	rundll32.exe
2784	rundll32mgr.exe
2784	rundll32mgr.exe
1764	WerFault.exe
1764	WerFault.exe
1764	WerFault.exe
1764	WerFault.exe
1764	WerFault.exe
1764	WerFault.exe
2612	WerFault.exe
2612	WerFault.exe
2612	WerFault.exe
2612	WerFault.exe
2612	WerFault.exe
2612	WerFault.exe
1764	WerFault.exe
1764	WerFault.exe
2612	WerFault.exe
2612	WerFault.exe
1764	WerFault.exe
2612	WerFault.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe
File created	C:\Windows\SysWOW64\rundll32mgrmgr.exe	rundll32mgr.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2612	2732	WerFault.exe	32
1764	2784	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32mgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32mgrmgr.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 2680	1508	rundll32.exe	30
PID 1508 wrote to memory of 2680	1508	rundll32.exe	30
PID 1508 wrote to memory of 2680	1508	rundll32.exe	30
PID 1508 wrote to memory of 2680	1508	rundll32.exe	30
PID 1508 wrote to memory of 2680	1508	rundll32.exe	30
PID 1508 wrote to memory of 2680	1508	rundll32.exe	30
PID 1508 wrote to memory of 2680	1508	rundll32.exe	30
PID 2680 wrote to memory of 2784	2680	rundll32.exe	31
PID 2680 wrote to memory of 2784	2680	rundll32.exe	31
PID 2680 wrote to memory of 2784	2680	rundll32.exe	31
PID 2680 wrote to memory of 2784	2680	rundll32.exe	31
PID 2784 wrote to memory of 2732	2784	rundll32mgr.exe	32
PID 2784 wrote to memory of 2732	2784	rundll32mgr.exe	32
PID 2784 wrote to memory of 2732	2784	rundll32mgr.exe	32
PID 2784 wrote to memory of 2732	2784	rundll32mgr.exe	32
PID 2784 wrote to memory of 1764	2784	rundll32mgr.exe	33
PID 2784 wrote to memory of 1764	2784	rundll32mgr.exe	33
PID 2784 wrote to memory of 1764	2784	rundll32mgr.exe	33
PID 2784 wrote to memory of 1764	2784	rundll32mgr.exe	33
PID 2732 wrote to memory of 2612	2732	rundll32mgrmgr.exe	34
PID 2732 wrote to memory of 2612	2732	rundll32mgrmgr.exe	34
PID 2732 wrote to memory of 2612	2732	rundll32mgrmgr.exe	34
PID 2732 wrote to memory of 2612	2732	rundll32mgrmgr.exe	34

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\374464b82b7f2dc1b9a4f98b58c1edd35fd568e31f5dfd3add92badec217c497.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\374464b82b7f2dc1b9a4f98b58c1edd35fd568e31f5dfd3add92badec217c497.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Windows\SysWOW64\rundll32mgrmgr.exe
      C:\Windows\SysWOW64\rundll32mgrmgr.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2732
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 156
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2612
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2784 -s 152
      4⤵
      Loads dropped DLL
      Program crash
      PID:1764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\rundll32mgr.exe

Filesize
810KB

MD5
edce3981e4e65a056cdd5ee6a8560264

SHA1
904eec1da309c9ade0c4f8f567f64d9593f3c1b2

SHA256
2c6947b14268a8f69028f1597e81f80bcd1b5ce3a5fa99a343666bca064aa03d

SHA512
3a7390909998679989383e42d0db172c28a1986ccc7e9de91f4a0aa0f805921e5c42a07d5f2e27c7ab0042c3cd42d445edc884d00465b73fe056e01ddb73b6fa

Download Submit
\Windows\SysWOW64\rundll32mgrmgr.exe

Filesize
404KB

MD5
3a51be334f3cedd7185130cd60047496

SHA1
5572a04718cffb848ae660713415b8ab95b3ec5c

SHA256
3e6d0b2887dad2ea3845139a31dfc8b8a2923c3f58ae8ba241d1498e1cc7747b

SHA512
ed2dda92f22f1d972508ede37cf6b8cf719e1d53271c2af988fe700e53f4ca0feb7e39712135e1c128f63ebf08ee6a555f35b555243c233afc943a22c9fe5783

Download Submit
memory/2680-0-0x0000000010000000-0x000000001013D000-memory.dmp

Filesize
1.2MB

Download
memory/2680-3-0x0000000010000000-0x000000001013D000-memory.dmp

Filesize
1.2MB

Download
memory/2680-2-0x0000000010000000-0x000000001013D000-memory.dmp

Filesize
1.2MB

Download
memory/2680-12-0x00000000005F0000-0x00000000006C6000-memory.dmp

Filesize
856KB

Download
memory/2732-23-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2732-42-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2784-13-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2784-22-0x00000000001C0000-0x0000000000230000-memory.dmp

Filesize
448KB

Download
memory/2784-21-0x00000000001C0000-0x0000000000230000-memory.dmp

Filesize
448KB

Download
memory/2784-43-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download

Analysis

Sharing