Analysis
-
max time kernel
122s -
max time network
125s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
24-01-2022 00:52
Static task
static1
Behavioral task
behavioral1
Sample
dddf58d54c7e1b086fc575df30ed923766f2ab9c23ede70c1a109400886dd39f.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
dddf58d54c7e1b086fc575df30ed923766f2ab9c23ede70c1a109400886dd39f.dll
Resource
win10-en-20211208
General
-
Target
dddf58d54c7e1b086fc575df30ed923766f2ab9c23ede70c1a109400886dd39f.dll
-
Size
164KB
-
MD5
75aab937577f6df274fab05ee2baf9f5
-
SHA1
bd0f79c02d8d2b6bf32e0b798b9397f7704b4648
-
SHA256
dddf58d54c7e1b086fc575df30ed923766f2ab9c23ede70c1a109400886dd39f
-
SHA512
f71ad7cdd1f226df19a6d4be4dfc2560512dddceb7e73dd9a119e7422aaadcf20eb21b685e3471af1f4b0fd106561351ef8c332b8a34abc1790a56634d259fea
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\U: rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 828 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
rundll32.exepid process 1040 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1872 vssvc.exe Token: SeRestorePrivilege 1872 vssvc.exe Token: SeAuditPrivilege 1872 vssvc.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
rundll32.exerundll32.execmd.exedescription pid process target process PID 1692 wrote to memory of 1040 1692 rundll32.exe rundll32.exe PID 1692 wrote to memory of 1040 1692 rundll32.exe rundll32.exe PID 1692 wrote to memory of 1040 1692 rundll32.exe rundll32.exe PID 1692 wrote to memory of 1040 1692 rundll32.exe rundll32.exe PID 1692 wrote to memory of 1040 1692 rundll32.exe rundll32.exe PID 1692 wrote to memory of 1040 1692 rundll32.exe rundll32.exe PID 1692 wrote to memory of 1040 1692 rundll32.exe rundll32.exe PID 1040 wrote to memory of 1408 1040 rundll32.exe cmd.exe PID 1040 wrote to memory of 1408 1040 rundll32.exe cmd.exe PID 1040 wrote to memory of 1408 1040 rundll32.exe cmd.exe PID 1040 wrote to memory of 1408 1040 rundll32.exe cmd.exe PID 1408 wrote to memory of 828 1408 cmd.exe vssadmin.exe PID 1408 wrote to memory of 828 1408 cmd.exe vssadmin.exe PID 1408 wrote to memory of 828 1408 cmd.exe vssadmin.exe PID 1408 wrote to memory of 828 1408 cmd.exe vssadmin.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dddf58d54c7e1b086fc575df30ed923766f2ab9c23ede70c1a109400886dd39f.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dddf58d54c7e1b086fc575df30ed923766f2ab9c23ede70c1a109400886dd39f.dll,#12⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet4⤵
- Interacts with shadow copies
PID:828
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:544
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1872
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1040-54-0x00000000754B1000-0x00000000754B3000-memory.dmpFilesize
8KB