Analysis
-
max time kernel
119s -
max time network
127s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 00:45
Static task
static1
Behavioral task
behavioral1
Sample
ee0a18f121ccf96b1a346f5c6b4c69e735dea57b3f45977a139135d177b266b8.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
ee0a18f121ccf96b1a346f5c6b4c69e735dea57b3f45977a139135d177b266b8.dll
Resource
win10-en-20211208
General
-
Target
ee0a18f121ccf96b1a346f5c6b4c69e735dea57b3f45977a139135d177b266b8.dll
-
Size
116KB
-
MD5
3b8877a1cca8ca727856882896582fb0
-
SHA1
0cf90549ce3048f94ee64b9e11e17504c56a7e07
-
SHA256
ee0a18f121ccf96b1a346f5c6b4c69e735dea57b3f45977a139135d177b266b8
-
SHA512
5488799fb6ec60e10bb4cb6e7afb4f49522ccc4e4b1e172d0675369b24f9cb118059654f0bc07f79871f613a4759c2c796e040dd896e4af9083c58a6c374483f
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\W: rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 3116 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 656 wrote to memory of 3116 656 rundll32.exe rundll32.exe PID 656 wrote to memory of 3116 656 rundll32.exe rundll32.exe PID 656 wrote to memory of 3116 656 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ee0a18f121ccf96b1a346f5c6b4c69e735dea57b3f45977a139135d177b266b8.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:656 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ee0a18f121ccf96b1a346f5c6b4c69e735dea57b3f45977a139135d177b266b8.dll,#12⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:3116
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:1104