Analysis
-
max time kernel
121s -
max time network
118s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 00:46
Static task
static1
Behavioral task
behavioral1
Sample
e9de2aece957ca9ae2ec4c100f80b8788f907758556e01a824fe4542d68899e9.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
e9de2aece957ca9ae2ec4c100f80b8788f907758556e01a824fe4542d68899e9.dll
Resource
win10-en-20211208
General
-
Target
e9de2aece957ca9ae2ec4c100f80b8788f907758556e01a824fe4542d68899e9.dll
-
Size
115KB
-
MD5
a21d2ba7198846c24841afc8905b1b76
-
SHA1
73baeed787cd2147ed401b419b3f02d00c62b9fa
-
SHA256
e9de2aece957ca9ae2ec4c100f80b8788f907758556e01a824fe4542d68899e9
-
SHA512
9f9ccd87cc822aa8b0a435ed4abdd418a1aa3dbc9307e36b5235965a2cc1102bae2ea27471b30840606c823402de0c41ce104111065c23980b9e1835261ab39c
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\V: rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 776 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3856 wrote to memory of 776 3856 rundll32.exe rundll32.exe PID 3856 wrote to memory of 776 3856 rundll32.exe rundll32.exe PID 3856 wrote to memory of 776 3856 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e9de2aece957ca9ae2ec4c100f80b8788f907758556e01a824fe4542d68899e9.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e9de2aece957ca9ae2ec4c100f80b8788f907758556e01a824fe4542d68899e9.dll,#12⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:776