4ec82f46f83c82b72ef98780baf08fccf8a6e246ba19061549a7db80ccbb3085

General

Target

4ec82f46f83c82b72ef98780baf08fccf8a6e246ba19061549a7db80ccbb3085.dll
Size

2.4MB
MD5

b87a2a672bc4c8a5f60df8ded889071f
SHA1

6cf6935d7b79b4827272e0284f562fb8a14403ca
SHA256

4ec82f46f83c82b72ef98780baf08fccf8a6e246ba19061549a7db80ccbb3085
SHA512

66a1e3af16ca8aa9d33cf026d5fbce4f96bbcdca2f52ea8a9ea7b3c65848f1019cb249b2f3a423b32546cf3ae4e3977af18b21ff6d050e55a623d55430dd4cc7
SSDEEP

49152:xU3U+ZYmxjpv7x4GFM/+b8dTMNh9Wr73h7NXSWEqNJO5hYTVMCRisKEbzE:xiU2YmxjpDx4Zo8dYNh9q73h7NXYkRiH

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1480	rundll32mgr.exe
2976	rundll32mgrmgr.exe

Loads dropped DLL 18 IoCs

pid	Process
2472	rundll32.exe
2472	rundll32.exe
1480	rundll32mgr.exe
1480	rundll32mgr.exe
2324	WerFault.exe
2324	WerFault.exe
2324	WerFault.exe
2324	WerFault.exe
2324	WerFault.exe
2324	WerFault.exe
2880	WerFault.exe
2880	WerFault.exe
2880	WerFault.exe
2880	WerFault.exe
2880	WerFault.exe
2880	WerFault.exe
2324	WerFault.exe
2880	WerFault.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe
File created	C:\Windows\SysWOW64\rundll32mgrmgr.exe	rundll32mgr.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2324	1480	WerFault.exe	31
2096	2472	WerFault.exe	30
2880	2976	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32mgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32mgrmgr.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 2472	2596	rundll32.exe	30
PID 2596 wrote to memory of 2472	2596	rundll32.exe	30
PID 2596 wrote to memory of 2472	2596	rundll32.exe	30
PID 2596 wrote to memory of 2472	2596	rundll32.exe	30
PID 2596 wrote to memory of 2472	2596	rundll32.exe	30
PID 2596 wrote to memory of 2472	2596	rundll32.exe	30
PID 2596 wrote to memory of 2472	2596	rundll32.exe	30
PID 2472 wrote to memory of 1480	2472	rundll32.exe	31
PID 2472 wrote to memory of 1480	2472	rundll32.exe	31
PID 2472 wrote to memory of 1480	2472	rundll32.exe	31
PID 2472 wrote to memory of 1480	2472	rundll32.exe	31
PID 1480 wrote to memory of 2976	1480	rundll32mgr.exe	32
PID 1480 wrote to memory of 2976	1480	rundll32mgr.exe	32
PID 1480 wrote to memory of 2976	1480	rundll32mgr.exe	32
PID 1480 wrote to memory of 2976	1480	rundll32mgr.exe	32
PID 1480 wrote to memory of 2324	1480	rundll32mgr.exe	33
PID 1480 wrote to memory of 2324	1480	rundll32mgr.exe	33
PID 1480 wrote to memory of 2324	1480	rundll32mgr.exe	33
PID 1480 wrote to memory of 2324	1480	rundll32mgr.exe	33
PID 2472 wrote to memory of 2096	2472	rundll32.exe	35
PID 2472 wrote to memory of 2096	2472	rundll32.exe	35
PID 2472 wrote to memory of 2096	2472	rundll32.exe	35
PID 2472 wrote to memory of 2096	2472	rundll32.exe	35
PID 2976 wrote to memory of 2880	2976	rundll32mgrmgr.exe	34
PID 2976 wrote to memory of 2880	2976	rundll32mgrmgr.exe	34
PID 2976 wrote to memory of 2880	2976	rundll32mgrmgr.exe	34
PID 2976 wrote to memory of 2880	2976	rundll32mgrmgr.exe	34

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4ec82f46f83c82b72ef98780baf08fccf8a6e246ba19061549a7db80ccbb3085.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\4ec82f46f83c82b72ef98780baf08fccf8a6e246ba19061549a7db80ccbb3085.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1480
  - - C:\Windows\SysWOW64\rundll32mgrmgr.exe
      C:\Windows\SysWOW64\rundll32mgrmgr.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2976
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2976 -s 156
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2880
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 152
      4⤵
      Loads dropped DLL
      Program crash
      PID:2324
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 232
    3⤵
    - Program crash
    PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\rundll32mgrmgr.exe

Filesize
115KB

MD5
42772a782bb1c6444f6e4d4b5c51bed9

SHA1
57663c9f055ffc52d46b4dd2a91ffa8c191be33b

SHA256
aac7bc007ae051fb71fb735ad4e92a6be8ec48ade1a3bf3b40746949a4dfd125

SHA512
cb7cd3b5f18f1834b6eccf5be5858614b154ae8d146aa746dddc74bea14c7daf4a7833d3a9ed4f0d32c9821d85901f74a367a830d3b7f0bf379fa1fdd5fae6cf

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
233KB

MD5
7816267b885055210f56ea4fa2b6df2a

SHA1
9dffc3317e685cc65f3d458799ca7c36e4966a09

SHA256
bcd868b32cb2e9954cbca19e2348653fa9cd5ad52b933c9a871dca6341733311

SHA512
14c9d98ef827a5df6d99f4678d392da634a7200997b775f713d6f418f32ce2ae01197a6ef9003b6a52e11a539e32402edd9a9129a330523ae4b8d78f423050dc

Download Submit
memory/1480-19-0x00000000001C0000-0x00000000001F8000-memory.dmp

Filesize
224KB

Download
memory/1480-21-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2472-0-0x0000000008000000-0x0000000008276000-memory.dmp

Filesize
2.5MB

Download
memory/2472-8-0x0000000008000000-0x0000000008276000-memory.dmp

Filesize
2.5MB

Download
memory/2472-18-0x0000000000210000-0x0000000000266000-memory.dmp

Filesize
344KB

Download
memory/2472-13-0x0000000008000000-0x0000000008276000-memory.dmp

Filesize
2.5MB

Download
memory/2472-37-0x0000000008000000-0x0000000008276000-memory.dmp

Filesize
2.5MB

Download
memory/2976-22-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2976-38-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing