Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 00:52
Static task
static1
Behavioral task
behavioral1
Sample
de08a0f001ecbb0303511d29807c419d770e383c76bf7f83e2cb12365af0bfca.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
de08a0f001ecbb0303511d29807c419d770e383c76bf7f83e2cb12365af0bfca.dll
Resource
win10-en-20211208
General
-
Target
de08a0f001ecbb0303511d29807c419d770e383c76bf7f83e2cb12365af0bfca.dll
-
Size
115KB
-
MD5
f3872a3c4750812c4bbcf48f8df1e294
-
SHA1
454ecb3f4ef05e5ef8009465133d5db5eeab61d2
-
SHA256
de08a0f001ecbb0303511d29807c419d770e383c76bf7f83e2cb12365af0bfca
-
SHA512
7ff9fc5b29cc8525a0381de26143defde4822a5163aae50ca03b6f05a51875f4ac19eb2720a8ceb6def3026472b518ee72db3e15016e3cadc52743d1999cadc2
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\Z: rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 4064 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3736 wrote to memory of 4064 3736 rundll32.exe rundll32.exe PID 3736 wrote to memory of 4064 3736 rundll32.exe rundll32.exe PID 3736 wrote to memory of 4064 3736 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\de08a0f001ecbb0303511d29807c419d770e383c76bf7f83e2cb12365af0bfca.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3736 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\de08a0f001ecbb0303511d29807c419d770e383c76bf7f83e2cb12365af0bfca.dll,#12⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:4064