fd95341188e806c0394accebbce84a3b3dd82c5e5263bc3f9737e96c3008d6e3

Analysis

max time kernel
16s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
01-01-2025 05:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd95341188e806c0394accebbce84a3b3dd82c5e5263bc3f9737e96c3008d6e3.dll
Size

554KB
MD5

cd9488a8aed4b4fb5836d6ae10a897a1
SHA1

3db525aff61e107cdd9ed9e0ce839ee583408c07
SHA256

fd95341188e806c0394accebbce84a3b3dd82c5e5263bc3f9737e96c3008d6e3
SHA512

fe6b175586f3ac893e3ac530290b7e180fabc604ae198d969f492258a4afac3399e1cca31fc3fffa7c8928bd7ebd47dd928e76819c1e88d48e3802ac3c40d368
SSDEEP

12288:ah8fZLyb9PzVMBC/HVMOp4PkxHLCYwZckMQMNvrm4O9rR+:a8F+Pzr/Hfp4MIYwZckMQmvrmn8

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2776	rundll32mgr.exe

Loads dropped DLL 9 IoCs

pid	Process
348	rundll32.exe
348	rundll32.exe
2408	WerFault.exe
2408	WerFault.exe
2408	WerFault.exe
2408	WerFault.exe
2408	WerFault.exe
2408	WerFault.exe
2408	WerFault.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2408	2776	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32mgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 844 wrote to memory of 348	844	rundll32.exe	29
PID 844 wrote to memory of 348	844	rundll32.exe	29
PID 844 wrote to memory of 348	844	rundll32.exe	29
PID 844 wrote to memory of 348	844	rundll32.exe	29
PID 844 wrote to memory of 348	844	rundll32.exe	29
PID 844 wrote to memory of 348	844	rundll32.exe	29
PID 844 wrote to memory of 348	844	rundll32.exe	29
PID 348 wrote to memory of 2776	348	rundll32.exe	30
PID 348 wrote to memory of 2776	348	rundll32.exe	30
PID 348 wrote to memory of 2776	348	rundll32.exe	30
PID 348 wrote to memory of 2776	348	rundll32.exe	30
PID 2776 wrote to memory of 2408	2776	rundll32mgr.exe	31
PID 2776 wrote to memory of 2408	2776	rundll32mgr.exe	31
PID 2776 wrote to memory of 2408	2776	rundll32mgr.exe	31
PID 2776 wrote to memory of 2408	2776	rundll32mgr.exe	31

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\fd95341188e806c0394accebbce84a3b3dd82c5e5263bc3f9737e96c3008d6e3.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:844
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\fd95341188e806c0394accebbce84a3b3dd82c5e5263bc3f9737e96c3008d6e3.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:348
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 92
      4⤵
      Loads dropped DLL
      Program crash
      PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\rundll32mgr.exe

Filesize
119KB

MD5
6cfb85f1741b245f7c7774de1107e0fa

SHA1
59cbd10ae2cd0142fc090345fc59ccf4973030a4

SHA256
9865c7b2dd93dd0292508153a19398804630e1f41d8850421679786be6fead9e

SHA512
0a58981b86d9051ce13558571bad1c879e04cd1204ca6cac942cdace59ff2fdd1d985ff881dbaf54bdd7a745ba4358128781126dbc472892c3a2281fe3262681

Download Submit
memory/348-0-0x0000000010000000-0x0000000010090000-memory.dmp

Filesize
576KB

Download
memory/348-2-0x0000000010000000-0x0000000010090000-memory.dmp

Filesize
576KB

Download
memory/348-9-0x0000000000250000-0x0000000000278000-memory.dmp

Filesize
160KB

Download
memory/2776-11-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2776-19-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download