Analysis
-
max time kernel
117s -
max time network
141s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 00:51
Static task
static1
Behavioral task
behavioral1
Sample
e08e62a60edb3d83e8ead3b53fa9ca53d44f6df7496db81d6f977df589444194.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
e08e62a60edb3d83e8ead3b53fa9ca53d44f6df7496db81d6f977df589444194.dll
Resource
win10-en-20211208
General
-
Target
e08e62a60edb3d83e8ead3b53fa9ca53d44f6df7496db81d6f977df589444194.dll
-
Size
164KB
-
MD5
72b9dc09e641937ab99042a4f148ea95
-
SHA1
aa88d64c62f7c605633cd0cd17f191b87f86ecb4
-
SHA256
e08e62a60edb3d83e8ead3b53fa9ca53d44f6df7496db81d6f977df589444194
-
SHA512
41e0b5370e506d49dcb3b1bc5799879cf13864528d325f906353a4501a165f5af145e1be450c1631dd3ceab7f8c417618bdaf75582d86979b90990753f27e148
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\Z: rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 3052 rundll32.exe 3052 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3764 wrote to memory of 3052 3764 rundll32.exe rundll32.exe PID 3764 wrote to memory of 3052 3764 rundll32.exe rundll32.exe PID 3764 wrote to memory of 3052 3764 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e08e62a60edb3d83e8ead3b53fa9ca53d44f6df7496db81d6f977df589444194.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e08e62a60edb3d83e8ead3b53fa9ca53d44f6df7496db81d6f977df589444194.dll,#12⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵