946a755870498e6752f9ccba0eb75d1cae8ddfd2a4cb5c2d4fb3704e909d2f60

Analysis

max time kernel
96s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2024 13:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

946a755870498e6752f9ccba0eb75d1cae8ddfd2a4cb5c2d4fb3704e909d2f60N.dll
Size

80KB
MD5

06db98334e6d2bc2c1b78cfc55d3f120
SHA1

e9a8bd1b61a761d98b3d13a5b1ee08752c119288
SHA256

946a755870498e6752f9ccba0eb75d1cae8ddfd2a4cb5c2d4fb3704e909d2f60
SHA512

fc1bf0fa48731c0a7624398dbd166b686e23a84711aa2fd889e4fd7c79d8c8232720cd94108f1e8512bebeb5acb63db3f095ddd857b955beb445d7178972d245
SSDEEP

1536:5POOhfbOjovgdVydUgoNrwBZXGDaZ1QIxrfItMgR7ZaO+fGxHZPEF4n7j:5dbwovEVyqgoZmZXWfIdQdRaefPv

Score

6^/10

discovery upx

Malware Config

Signatures

Network Service Discovery 1 TTPs 9 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
4612	arp.exe
4244	arp.exe
1400	arp.exe
4056	arp.exe
1876	arp.exe
4800	arp.exe
4576	arp.exe
224	arp.exe
2484	arp.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4284-0-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral2/memory/4284-2-0x0000000010000000-0x0000000010033000-memory.dmp	upx

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3192	4284	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4284	rundll32.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4552 wrote to memory of 4284	4552	rundll32.exe	83
PID 4552 wrote to memory of 4284	4552	rundll32.exe	83
PID 4552 wrote to memory of 4284	4552	rundll32.exe	83
PID 4284 wrote to memory of 224	4284	rundll32.exe	85
PID 4284 wrote to memory of 224	4284	rundll32.exe	85
PID 4284 wrote to memory of 224	4284	rundll32.exe	85
PID 4284 wrote to memory of 4576	4284	rundll32.exe	88
PID 4284 wrote to memory of 4576	4284	rundll32.exe	88
PID 4284 wrote to memory of 4576	4284	rundll32.exe	88
PID 4284 wrote to memory of 4800	4284	rundll32.exe	89
PID 4284 wrote to memory of 4800	4284	rundll32.exe	89
PID 4284 wrote to memory of 4800	4284	rundll32.exe	89
PID 4284 wrote to memory of 4244	4284	rundll32.exe	90
PID 4284 wrote to memory of 4244	4284	rundll32.exe	90
PID 4284 wrote to memory of 4244	4284	rundll32.exe	90
PID 4284 wrote to memory of 4612	4284	rundll32.exe	91
PID 4284 wrote to memory of 4612	4284	rundll32.exe	91
PID 4284 wrote to memory of 4612	4284	rundll32.exe	91
PID 4284 wrote to memory of 1876	4284	rundll32.exe	92
PID 4284 wrote to memory of 1876	4284	rundll32.exe	92
PID 4284 wrote to memory of 1876	4284	rundll32.exe	92
PID 4284 wrote to memory of 4056	4284	rundll32.exe	93
PID 4284 wrote to memory of 4056	4284	rundll32.exe	93
PID 4284 wrote to memory of 4056	4284	rundll32.exe	93
PID 4284 wrote to memory of 1400	4284	rundll32.exe	94
PID 4284 wrote to memory of 1400	4284	rundll32.exe	94
PID 4284 wrote to memory of 1400	4284	rundll32.exe	94
PID 4284 wrote to memory of 2484	4284	rundll32.exe	95
PID 4284 wrote to memory of 2484	4284	rundll32.exe	95
PID 4284 wrote to memory of 2484	4284	rundll32.exe	95

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\946a755870498e6752f9ccba0eb75d1cae8ddfd2a4cb5c2d4fb3704e909d2f60N.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4552
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\946a755870498e6752f9ccba0eb75d1cae8ddfd2a4cb5c2d4fb3704e909d2f60N.dll,#1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4284
- - C:\Windows\SysWOW64\arp.exe
    arp -a
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:224
- - C:\Windows\SysWOW64\arp.exe
    arp -s 10.127.0.1 55-23-6c-3c-39-f4
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:4576
- - C:\Windows\SysWOW64\arp.exe
    arp -s 10.127.255.255 38-de-8c-b9-26-28
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:4800
- - C:\Windows\SysWOW64\arp.exe
    arp -s 37.27.61.181 cf-00-37-07-94-28
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:4244
- - C:\Windows\SysWOW64\arp.exe
    arp -s 224.0.0.22 19-bc-d8-11-a3-52
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:4612
- - C:\Windows\SysWOW64\arp.exe
    arp -s 224.0.0.251 2b-07-cb-0e-5c-d4
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:1876
- - C:\Windows\SysWOW64\arp.exe
    arp -s 224.0.0.252 f2-7b-8e-98-2e-a7
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:4056
- - C:\Windows\SysWOW64\arp.exe
    arp -s 239.255.255.250 48-80-37-5c-dc-c4
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:1400
- - C:\Windows\SysWOW64\arp.exe
    arp -s 255.255.255.255 dd-24-fd-18-fe-79
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:2484
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 708
    3⤵
    - Program crash
    PID:3192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4284 -ip 4284
1⤵
PID:4600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4284-0-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/4284-2-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download