4bfb82e4377cef81939ee33f12dbf3e45e8bbdf4fde3966b0576da1712512c0e

Analysis

max time kernel
16s
max time network
17s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
02/01/2025, 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4bfb82e4377cef81939ee33f12dbf3e45e8bbdf4fde3966b0576da1712512c0eN.dll
Size

1.3MB
MD5

a144334228809a0b969104fc9fbcebb0
SHA1

3be701d9782bdb34fd324b70c1382ba587040833
SHA256

4bfb82e4377cef81939ee33f12dbf3e45e8bbdf4fde3966b0576da1712512c0e
SHA512

0562a77168a1d1b7292632c9ec4842adce02fcaf7ce8e34d709bc7dc86702c85574985ff3e78f8d780a0a437e58777c8e4e4af05e2c305403b976547ec107cc1
SSDEEP

12288:Y9g8GZHpzAac5naAd25L5O+FQ7lW8lZ60ICPxaf6og38BfSH6gqrandxT+is3pjn:Y68+O6pvbt/wuzTB2OFi1u

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2896	rundll32mgr.exe

Loads dropped DLL 2 IoCs

pid	Process
2680	rundll32.exe
2680	rundll32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2084	2680	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32mgr.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2896	rundll32mgr.exe

Suspicious behavior: MapViewOfSection 26 IoCs

pid	Process
2896	rundll32mgr.exe
2896	rundll32mgr.exe
2896	rundll32mgr.exe
2896	rundll32mgr.exe
2896	rundll32mgr.exe
2896	rundll32mgr.exe
2896	rundll32mgr.exe
2896	rundll32mgr.exe
2896	rundll32mgr.exe
2896	rundll32mgr.exe
2896	rundll32mgr.exe
2896	rundll32mgr.exe
2896	rundll32mgr.exe
2896	rundll32mgr.exe
2896	rundll32mgr.exe
2896	rundll32mgr.exe
2896	rundll32mgr.exe
2896	rundll32mgr.exe
2896	rundll32mgr.exe
2896	rundll32mgr.exe
2896	rundll32mgr.exe
2896	rundll32mgr.exe
2896	rundll32mgr.exe
2896	rundll32mgr.exe
2896	rundll32mgr.exe
2896	rundll32mgr.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2896	rundll32mgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 2680	1972	rundll32.exe	30
PID 1972 wrote to memory of 2680	1972	rundll32.exe	30
PID 1972 wrote to memory of 2680	1972	rundll32.exe	30
PID 1972 wrote to memory of 2680	1972	rundll32.exe	30
PID 1972 wrote to memory of 2680	1972	rundll32.exe	30
PID 1972 wrote to memory of 2680	1972	rundll32.exe	30
PID 1972 wrote to memory of 2680	1972	rundll32.exe	30
PID 2680 wrote to memory of 2896	2680	rundll32.exe	31
PID 2680 wrote to memory of 2896	2680	rundll32.exe	31
PID 2680 wrote to memory of 2896	2680	rundll32.exe	31
PID 2680 wrote to memory of 2896	2680	rundll32.exe	31
PID 2680 wrote to memory of 2084	2680	rundll32.exe	32
PID 2680 wrote to memory of 2084	2680	rundll32.exe	32
PID 2680 wrote to memory of 2084	2680	rundll32.exe	32
PID 2680 wrote to memory of 2084	2680	rundll32.exe	32
PID 2896 wrote to memory of 384	2896	rundll32mgr.exe	3
PID 2896 wrote to memory of 384	2896	rundll32mgr.exe	3
PID 2896 wrote to memory of 384	2896	rundll32mgr.exe	3
PID 2896 wrote to memory of 384	2896	rundll32mgr.exe	3
PID 2896 wrote to memory of 384	2896	rundll32mgr.exe	3
PID 2896 wrote to memory of 384	2896	rundll32mgr.exe	3
PID 2896 wrote to memory of 384	2896	rundll32mgr.exe	3
PID 2896 wrote to memory of 396	2896	rundll32mgr.exe	4
PID 2896 wrote to memory of 396	2896	rundll32mgr.exe	4
PID 2896 wrote to memory of 396	2896	rundll32mgr.exe	4
PID 2896 wrote to memory of 396	2896	rundll32mgr.exe	4
PID 2896 wrote to memory of 396	2896	rundll32mgr.exe	4
PID 2896 wrote to memory of 396	2896	rundll32mgr.exe	4
PID 2896 wrote to memory of 396	2896	rundll32mgr.exe	4
PID 2896 wrote to memory of 432	2896	rundll32mgr.exe	5
PID 2896 wrote to memory of 432	2896	rundll32mgr.exe	5
PID 2896 wrote to memory of 432	2896	rundll32mgr.exe	5
PID 2896 wrote to memory of 432	2896	rundll32mgr.exe	5
PID 2896 wrote to memory of 432	2896	rundll32mgr.exe	5
PID 2896 wrote to memory of 432	2896	rundll32mgr.exe	5
PID 2896 wrote to memory of 432	2896	rundll32mgr.exe	5
PID 2896 wrote to memory of 476	2896	rundll32mgr.exe	6
PID 2896 wrote to memory of 476	2896	rundll32mgr.exe	6
PID 2896 wrote to memory of 476	2896	rundll32mgr.exe	6
PID 2896 wrote to memory of 476	2896	rundll32mgr.exe	6
PID 2896 wrote to memory of 476	2896	rundll32mgr.exe	6
PID 2896 wrote to memory of 476	2896	rundll32mgr.exe	6
PID 2896 wrote to memory of 476	2896	rundll32mgr.exe	6
PID 2896 wrote to memory of 492	2896	rundll32mgr.exe	7
PID 2896 wrote to memory of 492	2896	rundll32mgr.exe	7
PID 2896 wrote to memory of 492	2896	rundll32mgr.exe	7
PID 2896 wrote to memory of 492	2896	rundll32mgr.exe	7
PID 2896 wrote to memory of 492	2896	rundll32mgr.exe	7
PID 2896 wrote to memory of 492	2896	rundll32mgr.exe	7
PID 2896 wrote to memory of 492	2896	rundll32mgr.exe	7
PID 2896 wrote to memory of 500	2896	rundll32mgr.exe	8
PID 2896 wrote to memory of 500	2896	rundll32mgr.exe	8
PID 2896 wrote to memory of 500	2896	rundll32mgr.exe	8
PID 2896 wrote to memory of 500	2896	rundll32mgr.exe	8
PID 2896 wrote to memory of 500	2896	rundll32mgr.exe	8
PID 2896 wrote to memory of 500	2896	rundll32mgr.exe	8
PID 2896 wrote to memory of 500	2896	rundll32mgr.exe	8
PID 2896 wrote to memory of 596	2896	rundll32mgr.exe	9
PID 2896 wrote to memory of 596	2896	rundll32mgr.exe	9
PID 2896 wrote to memory of 596	2896	rundll32mgr.exe	9
PID 2896 wrote to memory of 596	2896	rundll32mgr.exe	9
PID 2896 wrote to memory of 596	2896	rundll32mgr.exe	9
PID 2896 wrote to memory of 596	2896	rundll32mgr.exe	9
PID 2896 wrote to memory of 596	2896	rundll32mgr.exe	9

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:384
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:476
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:596
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:2004
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      4⤵
      PID:1592
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:676
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:756
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:812
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1040
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:852
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:960
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:296
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1064
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:1072
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1168
- - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    3⤵
    PID:1408
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:2460
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:648
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:492
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:500

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:396

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1128
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\4bfb82e4377cef81939ee33f12dbf3e45e8bbdf4fde3966b0576da1712512c0eN.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\4bfb82e4377cef81939ee33f12dbf3e45e8bbdf4fde3966b0576da1712512c0eN.dll,#1
    3⤵
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Windows\SysWOW64\rundll32mgr.exe
      C:\Windows\SysWOW64\rundll32mgr.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2896
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 228
      4⤵
      Program crash
      PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
112KB

MD5
787f5a2f9878eecd525f0ca2f7f71749

SHA1
c0da1509885c34f2f40f6f557a366bba00d767b3

SHA256
a96ea157adae6d6e44274d0b27a68074e24afd21973123dbacf1e5325aeb4438

SHA512
306c9b2ce87ed7e5c8c7dd557927811bfe65dd49ae735a007e8189024376c5192bc5ef879a26d32e718746cc93b8343d05b6515c0a63fc85860a614dbb5b090d

Download Submit
memory/2084-15-0x000000007EFA0000-0x000000007EFAA000-memory.dmp

Filesize
40KB

Download
memory/2084-16-0x000000007EFA0000-0x000000007EFAA000-memory.dmp

Filesize
40KB

Download
memory/2680-3-0x0000000010000000-0x0000000010147000-memory.dmp

Filesize
1.3MB

Download
memory/2680-9-0x0000000010000000-0x0000000010147000-memory.dmp

Filesize
1.3MB

Download
memory/2680-10-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2896-13-0x00000000771BF000-0x00000000771C0000-memory.dmp

Filesize
4KB

Download
memory/2896-12-0x00000000771C0000-0x00000000771C1000-memory.dmp

Filesize
4KB

Download
memory/2896-11-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2896-14-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download