Analysis
-
max time kernel
117s -
max time network
158s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 00:47
Static task
static1
Behavioral task
behavioral1
Sample
e902425859251072e8c856657ab2b151f963ab492d7468a13fae24306d62c89d.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
e902425859251072e8c856657ab2b151f963ab492d7468a13fae24306d62c89d.dll
Resource
win10-en-20211208
General
-
Target
e902425859251072e8c856657ab2b151f963ab492d7468a13fae24306d62c89d.dll
-
Size
141KB
-
MD5
5bcd0d08709274844e3c855a19ff8124
-
SHA1
e5666d44e0f9b9823b69f40df1064781223ef128
-
SHA256
e902425859251072e8c856657ab2b151f963ab492d7468a13fae24306d62c89d
-
SHA512
c7a705d4259da041aaa2f207c95348f6af5e4f66c2d57012f3ff8df53b83f37608de89291cdfc53c4082eeec63f2064baa71ab195b050d14ef399410a8186056
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\M: rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 736 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3208 wrote to memory of 736 3208 rundll32.exe rundll32.exe PID 3208 wrote to memory of 736 3208 rundll32.exe rundll32.exe PID 3208 wrote to memory of 736 3208 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e902425859251072e8c856657ab2b151f963ab492d7468a13fae24306d62c89d.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e902425859251072e8c856657ab2b151f963ab492d7468a13fae24306d62c89d.dll,#12⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:736