Analysis
-
max time kernel
124s -
max time network
134s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 00:47
Static task
static1
Behavioral task
behavioral1
Sample
e73d01fbf1d615bbb9c90bf88e492c7ec87f77ed2143e2e268ddab35fb62391b.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
e73d01fbf1d615bbb9c90bf88e492c7ec87f77ed2143e2e268ddab35fb62391b.dll
Resource
win10-en-20211208
General
-
Target
e73d01fbf1d615bbb9c90bf88e492c7ec87f77ed2143e2e268ddab35fb62391b.dll
-
Size
115KB
-
MD5
44224f7a2ff55a910ade838c09e369a2
-
SHA1
f299fbb75f2df34ee4c7b5992a7a1ec08af9acc9
-
SHA256
e73d01fbf1d615bbb9c90bf88e492c7ec87f77ed2143e2e268ddab35fb62391b
-
SHA512
3aaf85f75374995309df59096ea58792cb84f6b84e2b58a7a62f0ace8aa6581f1feda4f87515f62d0bdfe4fac13afb08d8c8c8f37cdd2b1e8924bef4e78f4ca6
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\I: rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 3916 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3188 wrote to memory of 3916 3188 rundll32.exe rundll32.exe PID 3188 wrote to memory of 3916 3188 rundll32.exe rundll32.exe PID 3188 wrote to memory of 3916 3188 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e73d01fbf1d615bbb9c90bf88e492c7ec87f77ed2143e2e268ddab35fb62391b.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e73d01fbf1d615bbb9c90bf88e492c7ec87f77ed2143e2e268ddab35fb62391b.dll,#12⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:3916
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:960