9f346e84baa5b20e4b3807c9ac04f75704db01abea2e47b2f9ed38dddb567402

General

Target

9f346e84baa5b20e4b3807c9ac04f75704db01abea2e47b2f9ed38dddb567402N.dll
Size

1.2MB
MD5

a5cab5f8f7b67680de7ec676189f5560
SHA1

3bb5d93e0ecf4386f11bf40e69b20bd1f5f07cc3
SHA256

9f346e84baa5b20e4b3807c9ac04f75704db01abea2e47b2f9ed38dddb567402
SHA512

177c0d50b2096100e8a5d998b0f99966423649b44142c8660dfd311693250afbf9ee99bec4a845b9d511d9202298bcaa2f7e6d92d8f5483f338df60bce4e038e
SSDEEP

24576:U8F+Pzr/Hfp4MIYwZckMQmeVgheBvriXR/:U88zrp4MwL7vi

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2840	rundll32mgr.exe
2696	rundll32mgrmgr.exe

Loads dropped DLL 22 IoCs

pid	Process
2824	rundll32.exe
2824	rundll32.exe
2840	rundll32mgr.exe
2840	rundll32mgr.exe
2724	WerFault.exe
2724	WerFault.exe
2724	WerFault.exe
2724	WerFault.exe
2724	WerFault.exe
2724	WerFault.exe
2852	WerFault.exe
2852	WerFault.exe
2852	WerFault.exe
2852	WerFault.exe
2852	WerFault.exe
2852	WerFault.exe
2724	WerFault.exe
2724	WerFault.exe
2852	WerFault.exe
2852	WerFault.exe
2852	WerFault.exe
2724	WerFault.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgrmgr.exe	rundll32mgr.exe
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2852	2696	WerFault.exe	32
2724	2840	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32mgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32mgrmgr.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 2824	2720	rundll32.exe	30
PID 2720 wrote to memory of 2824	2720	rundll32.exe	30
PID 2720 wrote to memory of 2824	2720	rundll32.exe	30
PID 2720 wrote to memory of 2824	2720	rundll32.exe	30
PID 2720 wrote to memory of 2824	2720	rundll32.exe	30
PID 2720 wrote to memory of 2824	2720	rundll32.exe	30
PID 2720 wrote to memory of 2824	2720	rundll32.exe	30
PID 2824 wrote to memory of 2840	2824	rundll32.exe	31
PID 2824 wrote to memory of 2840	2824	rundll32.exe	31
PID 2824 wrote to memory of 2840	2824	rundll32.exe	31
PID 2824 wrote to memory of 2840	2824	rundll32.exe	31
PID 2840 wrote to memory of 2696	2840	rundll32mgr.exe	32
PID 2840 wrote to memory of 2696	2840	rundll32mgr.exe	32
PID 2840 wrote to memory of 2696	2840	rundll32mgr.exe	32
PID 2840 wrote to memory of 2696	2840	rundll32mgr.exe	32
PID 2840 wrote to memory of 2724	2840	rundll32mgr.exe	33
PID 2840 wrote to memory of 2724	2840	rundll32mgr.exe	33
PID 2840 wrote to memory of 2724	2840	rundll32mgr.exe	33
PID 2840 wrote to memory of 2724	2840	rundll32mgr.exe	33
PID 2696 wrote to memory of 2852	2696	rundll32mgrmgr.exe	34
PID 2696 wrote to memory of 2852	2696	rundll32mgrmgr.exe	34
PID 2696 wrote to memory of 2852	2696	rundll32mgrmgr.exe	34
PID 2696 wrote to memory of 2852	2696	rundll32mgrmgr.exe	34

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9f346e84baa5b20e4b3807c9ac04f75704db01abea2e47b2f9ed38dddb567402N.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\9f346e84baa5b20e4b3807c9ac04f75704db01abea2e47b2f9ed38dddb567402N.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Windows\SysWOW64\rundll32mgrmgr.exe
      C:\Windows\SysWOW64\rundll32mgrmgr.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2696
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 156
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2852
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 152
      4⤵
      Loads dropped DLL
      Program crash
      PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
810KB

MD5
edce3981e4e65a056cdd5ee6a8560264

SHA1
904eec1da309c9ade0c4f8f567f64d9593f3c1b2

SHA256
2c6947b14268a8f69028f1597e81f80bcd1b5ce3a5fa99a343666bca064aa03d

SHA512
3a7390909998679989383e42d0db172c28a1986ccc7e9de91f4a0aa0f805921e5c42a07d5f2e27c7ab0042c3cd42d445edc884d00465b73fe056e01ddb73b6fa

Download Submit
C:\Windows\SysWOW64\rundll32mgrmgr.exe

Filesize
404KB

MD5
3a51be334f3cedd7185130cd60047496

SHA1
5572a04718cffb848ae660713415b8ab95b3ec5c

SHA256
3e6d0b2887dad2ea3845139a31dfc8b8a2923c3f58ae8ba241d1498e1cc7747b

SHA512
ed2dda92f22f1d972508ede37cf6b8cf719e1d53271c2af988fe700e53f4ca0feb7e39712135e1c128f63ebf08ee6a555f35b555243c233afc943a22c9fe5783

Download Submit
memory/2696-38-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2824-0-0x0000000010000000-0x000000001013D000-memory.dmp

Filesize
1.2MB

Download
memory/2824-2-0x0000000010000000-0x000000001013D000-memory.dmp

Filesize
1.2MB

Download
memory/2824-10-0x00000000020F0000-0x00000000021C6000-memory.dmp

Filesize
856KB

Download
memory/2824-12-0x00000000020F0000-0x00000000021C6000-memory.dmp

Filesize
856KB

Download
memory/2824-42-0x00000000020F0000-0x00000000021C6000-memory.dmp

Filesize
856KB

Download
memory/2840-36-0x00000000001E0000-0x0000000000250000-memory.dmp

Filesize
448KB

Download
memory/2840-37-0x00000000001E0000-0x0000000000250000-memory.dmp

Filesize
448KB

Download
memory/2840-41-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download

Analysis

Sharing