Analysis
-
max time kernel
123s -
max time network
134s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 00:46
Static task
static1
Behavioral task
behavioral1
Sample
e9777c5c920359636269fe2241ec7ca1df755e716d5704741fb1bd9b24ebcd52.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
e9777c5c920359636269fe2241ec7ca1df755e716d5704741fb1bd9b24ebcd52.dll
Resource
win10-en-20211208
General
-
Target
e9777c5c920359636269fe2241ec7ca1df755e716d5704741fb1bd9b24ebcd52.dll
-
Size
166KB
-
MD5
2d64eb963d775abd1f20229b5bbb4c21
-
SHA1
ebd9953721fe8795abf963cabd81a4f90219d145
-
SHA256
e9777c5c920359636269fe2241ec7ca1df755e716d5704741fb1bd9b24ebcd52
-
SHA512
c5280d4224cd2c6b9a8da7b31f110a2d5a2c26cef2bc08b8e3b2994f947311bc153c9f391ec7f12822735ffff2c61c246aa93f93543e2ca9df25ba399464b06c
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\J: rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 2800 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 616 wrote to memory of 2800 616 rundll32.exe rundll32.exe PID 616 wrote to memory of 2800 616 rundll32.exe rundll32.exe PID 616 wrote to memory of 2800 616 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e9777c5c920359636269fe2241ec7ca1df755e716d5704741fb1bd9b24ebcd52.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:616 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e9777c5c920359636269fe2241ec7ca1df755e716d5704741fb1bd9b24ebcd52.dll,#12⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:2800
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3960