Analysis
-
max time kernel
118s -
max time network
156s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 00:53
Static task
static1
Behavioral task
behavioral1
Sample
dc788044ba918463ddea34c1128c9f4da56e0778e582ae9abdeb15fdbcc57e80.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
dc788044ba918463ddea34c1128c9f4da56e0778e582ae9abdeb15fdbcc57e80.dll
Resource
win10-en-20211208
General
-
Target
dc788044ba918463ddea34c1128c9f4da56e0778e582ae9abdeb15fdbcc57e80.dll
-
Size
164KB
-
MD5
99e2b579a030e251d4036db28e048c90
-
SHA1
140dfe38d2fce298f5d5a4a8392494f30b7dea63
-
SHA256
dc788044ba918463ddea34c1128c9f4da56e0778e582ae9abdeb15fdbcc57e80
-
SHA512
74dd874dd47931b3de5336936aff1785d77a1f403fa121c61ff315b90140089dd4a47390661e9013f2a9552a405202ba2f672a4dcda660ec871379d7662c9915
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\V: rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 3036 rundll32.exe 3036 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4108 wrote to memory of 3036 4108 rundll32.exe rundll32.exe PID 4108 wrote to memory of 3036 4108 rundll32.exe rundll32.exe PID 4108 wrote to memory of 3036 4108 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dc788044ba918463ddea34c1128c9f4da56e0778e582ae9abdeb15fdbcc57e80.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dc788044ba918463ddea34c1128c9f4da56e0778e582ae9abdeb15fdbcc57e80.dll,#12⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵