Analysis
-
max time kernel
123s -
max time network
134s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 00:47
Static task
static1
Behavioral task
behavioral1
Sample
e95777adacf41f75297c0641cb1ceba6629b16a1bdc1fe0d88a7824d9ab41a72.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
e95777adacf41f75297c0641cb1ceba6629b16a1bdc1fe0d88a7824d9ab41a72.dll
Resource
win10-en-20211208
General
-
Target
e95777adacf41f75297c0641cb1ceba6629b16a1bdc1fe0d88a7824d9ab41a72.dll
-
Size
115KB
-
MD5
e41d37bb1f939ab8b4aecf692902d480
-
SHA1
80caf31180782f77c0a2a24586a686d5fc180ccd
-
SHA256
e95777adacf41f75297c0641cb1ceba6629b16a1bdc1fe0d88a7824d9ab41a72
-
SHA512
b8e483090ccf3909a3e60c09aea34e04168302b0b857ea11beabb4edb59916cc1f7d62b1be6fbb5b52793a949302133202462244ef2d6eedfa6470636b1b71e9
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\Z: rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 980 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1100 wrote to memory of 980 1100 rundll32.exe rundll32.exe PID 1100 wrote to memory of 980 1100 rundll32.exe rundll32.exe PID 1100 wrote to memory of 980 1100 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e95777adacf41f75297c0641cb1ceba6629b16a1bdc1fe0d88a7824d9ab41a72.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e95777adacf41f75297c0641cb1ceba6629b16a1bdc1fe0d88a7824d9ab41a72.dll,#12⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:980
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3024