Analysis
-
max time kernel
153s -
max time network
164s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 00:54
Static task
static1
Behavioral task
behavioral1
Sample
dad3431f42dd3bac7fa36ed24b40bfb6e8d7ccce71c325ee0c068e7b1a1de1ad.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
dad3431f42dd3bac7fa36ed24b40bfb6e8d7ccce71c325ee0c068e7b1a1de1ad.dll
Resource
win10-en-20211208
General
-
Target
dad3431f42dd3bac7fa36ed24b40bfb6e8d7ccce71c325ee0c068e7b1a1de1ad.dll
-
Size
116KB
-
MD5
a43259f30640f6f2e0f03e94b813237f
-
SHA1
17e25c096c068f407fa9b5a69672f0e86b743ec0
-
SHA256
dad3431f42dd3bac7fa36ed24b40bfb6e8d7ccce71c325ee0c068e7b1a1de1ad
-
SHA512
f53925f4ec297f114310eb9f2b078b710fdf789df322b825730634de38e0ab320e6942fca18999198db04e916a1642824610b337f27bcb903a8814fa9d073607
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\A: rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 2732 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 2584 wrote to memory of 2732 2584 rundll32.exe rundll32.exe PID 2584 wrote to memory of 2732 2584 rundll32.exe rundll32.exe PID 2584 wrote to memory of 2732 2584 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dad3431f42dd3bac7fa36ed24b40bfb6e8d7ccce71c325ee0c068e7b1a1de1ad.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dad3431f42dd3bac7fa36ed24b40bfb6e8d7ccce71c325ee0c068e7b1a1de1ad.dll,#12⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:2732
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:2460