Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
24-01-2022 00:51
Static task
static1
Behavioral task
behavioral1
Sample
e08e62a60edb3d83e8ead3b53fa9ca53d44f6df7496db81d6f977df589444194.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
e08e62a60edb3d83e8ead3b53fa9ca53d44f6df7496db81d6f977df589444194.dll
Resource
win10-en-20211208
General
-
Target
e08e62a60edb3d83e8ead3b53fa9ca53d44f6df7496db81d6f977df589444194.dll
-
Size
164KB
-
MD5
72b9dc09e641937ab99042a4f148ea95
-
SHA1
aa88d64c62f7c605633cd0cd17f191b87f86ecb4
-
SHA256
e08e62a60edb3d83e8ead3b53fa9ca53d44f6df7496db81d6f977df589444194
-
SHA512
41e0b5370e506d49dcb3b1bc5799879cf13864528d325f906353a4501a165f5af145e1be450c1631dd3ceab7f8c417618bdaf75582d86979b90990753f27e148
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\Z: rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 1664 wrote to memory of 1692 1664 rundll32.exe rundll32.exe PID 1664 wrote to memory of 1692 1664 rundll32.exe rundll32.exe PID 1664 wrote to memory of 1692 1664 rundll32.exe rundll32.exe PID 1664 wrote to memory of 1692 1664 rundll32.exe rundll32.exe PID 1664 wrote to memory of 1692 1664 rundll32.exe rundll32.exe PID 1664 wrote to memory of 1692 1664 rundll32.exe rundll32.exe PID 1664 wrote to memory of 1692 1664 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e08e62a60edb3d83e8ead3b53fa9ca53d44f6df7496db81d6f977df589444194.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e08e62a60edb3d83e8ead3b53fa9ca53d44f6df7496db81d6f977df589444194.dll,#12⤵
- Enumerates connected drives
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1692-54-0x00000000754B1000-0x00000000754B3000-memory.dmpFilesize
8KB