3c2bfb840a89298362078051b0b0090acb291298cfa3189572ecdc954baaed0f

Resubmissions

22/01/2025, 15:48 UTC

250122-s86egsvkhk 10

22/01/2025, 14:37 UTC

250122-ry8w7a1kds 10

Analysis

max time kernel
96s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22/01/2025, 15:48 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

real shit/api-ms-win-core-processthreads-l1-1-0.dll
Size

13KB
MD5

1641a8027af5a754dd164d6044917014
SHA1

5577d0be9d5d3874448e9f2c77286870c05f6d1d
SHA256

f8c0711a512059c648e83bef2f5b23119a454f457496e1dfead71d6942298863
SHA512

dded04a5211fe7762952afe39d51fa3540c0d7025c19468d2b5218f58bdd88043977f9eff99aa33decb6599bb3a4dd2a326cf9fc4fd7f6c4f3d38ef18e77d339
SSDEEP

384:1Hk1JzBcKcIpWphW8wGyaGECifl/zdbQD:1+cKc1/tzO

Score

3^/10

discovery

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2024	2032	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 2032	1404	rundll32.exe	83
PID 1404 wrote to memory of 2032	1404	rundll32.exe	83
PID 1404 wrote to memory of 2032	1404	rundll32.exe	83

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\real shit\api-ms-win-core-processthreads-l1-1-0.dll",#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\real shit\api-ms-win-core-processthreads-l1-1-0.dll",#1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2032
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 600
    3⤵
    - Program crash
    PID:2024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2032 -ip 2032
1⤵
PID:4980

Network

DNS

210.156.23.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

210.156.23.2.in-addr.arpa

IN PTR

Response

210.156.23.2.in-addr.arpa

IN PTR

a2-23-156-210deploystaticakamaitechnologiescom
DNS

217.106.137.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.106.137.52.in-addr.arpa

IN PTR

Response
DNS

69.31.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

69.31.126.40.in-addr.arpa

IN PTR

Response
DNS

3.108.50.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

3.108.50.23.in-addr.arpa

IN PTR

Response

3.108.50.23.in-addr.arpa

IN PTR

a23-50-108-3deploystaticakamaitechnologiescom
DNS

13.86.106.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.86.106.20.in-addr.arpa

IN PTR

Response
DNS

197.87.175.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

197.87.175.4.in-addr.arpa

IN PTR

Response
DNS

171.39.242.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.39.242.20.in-addr.arpa

IN PTR

Response
DNS

130.118.77.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

130.118.77.104.in-addr.arpa

IN PTR

Response

130.118.77.104.in-addr.arpa

IN PTR

a104-77-118-130deploystaticakamaitechnologiescom
DNS

98.250.22.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

98.250.22.2.in-addr.arpa

IN PTR

Response

98.250.22.2.in-addr.arpa

IN PTR

a2-22-250-98deploystaticakamaitechnologiescom
DNS

19.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

19.229.111.52.in-addr.arpa

IN PTR

Response

No results found

8.8.8.8:53

210.156.23.2.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

210.156.23.2.in-addr.arpa
8.8.8.8:53

217.106.137.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

217.106.137.52.in-addr.arpa
8.8.8.8:53

69.31.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

69.31.126.40.in-addr.arpa
8.8.8.8:53

3.108.50.23.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

3.108.50.23.in-addr.arpa
8.8.8.8:53

13.86.106.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

13.86.106.20.in-addr.arpa
8.8.8.8:53

197.87.175.4.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

197.87.175.4.in-addr.arpa
8.8.8.8:53

171.39.242.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

171.39.242.20.in-addr.arpa
8.8.8.8:53

130.118.77.104.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

130.118.77.104.in-addr.arpa
8.8.8.8:53

98.250.22.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

98.250.22.2.in-addr.arpa
8.8.8.8:53

19.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

19.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.