Analysis
-
max time kernel
118s -
max time network
126s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 00:43
Static task
static1
Behavioral task
behavioral1
Sample
f1cff858f5006ebdb0971652d0f2f36e7ed085fe13ecdaea1ce8384eaba702d7.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
f1cff858f5006ebdb0971652d0f2f36e7ed085fe13ecdaea1ce8384eaba702d7.dll
Resource
win10-en-20211208
General
-
Target
f1cff858f5006ebdb0971652d0f2f36e7ed085fe13ecdaea1ce8384eaba702d7.dll
-
Size
115KB
-
MD5
c738c80a4801a5bdfbab4793420b08b7
-
SHA1
17f52d3c9e20f3dbd167f739d3d14ee6fe2a0124
-
SHA256
f1cff858f5006ebdb0971652d0f2f36e7ed085fe13ecdaea1ce8384eaba702d7
-
SHA512
a100c30651fed750813649bd05e7f3912f2d07a0cf497447f3dab2697e102e0dfdc4247537d5cbabfb3d2072e40340272c86374cb14cf3d22f0c0e7cc0d9a846
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\T: rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 3204 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3260 wrote to memory of 3204 3260 rundll32.exe rundll32.exe PID 3260 wrote to memory of 3204 3260 rundll32.exe rundll32.exe PID 3260 wrote to memory of 3204 3260 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f1cff858f5006ebdb0971652d0f2f36e7ed085fe13ecdaea1ce8384eaba702d7.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f1cff858f5006ebdb0971652d0f2f36e7ed085fe13ecdaea1ce8384eaba702d7.dll,#12⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:3204
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:1216