Analysis
-
max time kernel
123s -
max time network
130s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 00:45
Static task
static1
Behavioral task
behavioral1
Sample
ecaa2b46d7bf529aa93f2a7e20b912ab3edd641d37ee755595daaa94cd62b83c.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
ecaa2b46d7bf529aa93f2a7e20b912ab3edd641d37ee755595daaa94cd62b83c.dll
Resource
win10-en-20211208
General
-
Target
ecaa2b46d7bf529aa93f2a7e20b912ab3edd641d37ee755595daaa94cd62b83c.dll
-
Size
115KB
-
MD5
ea79b4e7b34aac0dedbf42d7778ca3f4
-
SHA1
7d15cc9bf05c60588aef9a0aebe7e5cca7fb78b8
-
SHA256
ecaa2b46d7bf529aa93f2a7e20b912ab3edd641d37ee755595daaa94cd62b83c
-
SHA512
01ba5b74647365f00998fa6aa529406a3e6d30db27db2f2113dc7cb0cb1ad131cefec491f8e218ea87bdc8d51ec285911b1532d9f6eee92aafa7e2cea6124f92
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\G: rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 2892 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 2228 wrote to memory of 2892 2228 rundll32.exe rundll32.exe PID 2228 wrote to memory of 2892 2228 rundll32.exe rundll32.exe PID 2228 wrote to memory of 2892 2228 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ecaa2b46d7bf529aa93f2a7e20b912ab3edd641d37ee755595daaa94cd62b83c.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ecaa2b46d7bf529aa93f2a7e20b912ab3edd641d37ee755595daaa94cd62b83c.dll,#12⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:2892
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:776