Analysis
-
max time kernel
120s -
max time network
127s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 00:48
Static task
static1
Behavioral task
behavioral1
Sample
e6c86be9dfce9d85f7115f1370b94846082c87100466a6d7ba975fd2bc72176f.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
e6c86be9dfce9d85f7115f1370b94846082c87100466a6d7ba975fd2bc72176f.dll
Resource
win10-en-20211208
General
-
Target
e6c86be9dfce9d85f7115f1370b94846082c87100466a6d7ba975fd2bc72176f.dll
-
Size
166KB
-
MD5
4c74273e0d60cca59aba845bd165e944
-
SHA1
38474718d7bfb809e2328496e118ad498f0c0aec
-
SHA256
e6c86be9dfce9d85f7115f1370b94846082c87100466a6d7ba975fd2bc72176f
-
SHA512
528e7c8e532b81c4335614f1dd157b3a69da2609423c5f9e0d1b80e7a023267aa7644aa2b91f0728e1ebbfc16e8dd4c407dcecda238ff1a1d40d8aca4c3b6303
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\V: rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 3972 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 808 wrote to memory of 3972 808 rundll32.exe rundll32.exe PID 808 wrote to memory of 3972 808 rundll32.exe rundll32.exe PID 808 wrote to memory of 3972 808 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e6c86be9dfce9d85f7115f1370b94846082c87100466a6d7ba975fd2bc72176f.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e6c86be9dfce9d85f7115f1370b94846082c87100466a6d7ba975fd2bc72176f.dll,#12⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:3972
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:680