413f106555a4bc9147878a7bec9bd32983da07a8c4d8cd898055f7d83c94137d

Analysis

max time kernel
102s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2025, 05:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dosbox/svn/3DfxSpl2.dll
Size

1.1MB
MD5

08a1b06fe2fee5a1e3b33f1d71b84705
SHA1

995b3f1a5916a047aa1365afacc292c3be21de62
SHA256

262c70749ac24b4d3691e39767d3e01b5b4957b9b82768186e5faa58f395ceba
SHA512

7fa595eb88a452a5bd0de05bfca85f1119ddecec58c377bd1321057f223bf9856382bf7abd2c996c1ccb50e7c28c5b28856b782a77fbf91b2b76a040bc9f38fd
SSDEEP

12288:hmHPTPzZIibdk3hsCmx0okm1WoCnf1/Hnsp97P7jpD7P74nUpInLpN7P7:s79bdahsbbmdWptpjpAp

Score

3^/10

discovery

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4408	5876	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5624 wrote to memory of 5876	5624	rundll32.exe	85
PID 5624 wrote to memory of 5876	5624	rundll32.exe	85
PID 5624 wrote to memory of 5876	5624	rundll32.exe	85

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dosbox\svn\3DfxSpl2.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:5624
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\dosbox\svn\3DfxSpl2.dll,#1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5876
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5876 -s 620
    3⤵
    - Program crash
    PID:4408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5876 -ip 5876
1⤵
PID:3692

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dosbox\svn\glide.log

Filesize
241B

MD5
de457666d2838d6c20a26a0306c3a8d3

SHA1
58d661b386adc783d51c8fa3330cc8a77e423956

SHA256
dc2f555f799f0317a66a92f6a6ffa9986c4ead5e06cb989f23d4e57ac6eef21a

SHA512
6e555061e265d500466dce47f0e627c712d364f9ab28d0f525ddc13d4ca7b3a5e200dd4df9378b6b8d81c853794a473ac6a8b2c4dc05a4599bc1d0c2a86bfc23

Download Submit
C:\Users\Admin\AppData\Local\Temp\dosbox\svn\glide.log

Filesize
720B

MD5
f02c2017d41499d4c8c6f2b81ab323b2

SHA1
30aca14e764aab8b2329fb9bd9d7ba7d9a00ba66

SHA256
6d56ac25d0cbf7591ebcda20c05168e1790c0ab29dce4a25ec7cda7cb64319c5

SHA512
797a5cca4338a6eab228f4525349b49257b920023dee4e7be88c5c4a4c4528878bdc93eb89ccae3282a9ec17884af1cdead43a3f34dfa96d7df3230eaab98357

Download Submit