Analysis
-
max time kernel
123s -
max time network
137s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 00:54
Static task
static1
Behavioral task
behavioral1
Sample
da74221e6e6eee961014701cd7f8be3805b324a602264b6801e766c4991906be.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
da74221e6e6eee961014701cd7f8be3805b324a602264b6801e766c4991906be.dll
Resource
win10-en-20211208
General
-
Target
da74221e6e6eee961014701cd7f8be3805b324a602264b6801e766c4991906be.dll
-
Size
116KB
-
MD5
7c5392c2917bc5a8ad60bc1c05192347
-
SHA1
fa39249bae667a34966b482f7b6da86e62cf094c
-
SHA256
da74221e6e6eee961014701cd7f8be3805b324a602264b6801e766c4991906be
-
SHA512
05dd856940b3612b3ba6d72c58e9eefae400cad077d2b4f639b5e8c7c767b2f22e092f47479b742d0d836b1ee6669a84d0bc2cd3fb43cb51829cec4934b3f175
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\P: rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 2772 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 2564 wrote to memory of 2772 2564 rundll32.exe rundll32.exe PID 2564 wrote to memory of 2772 2564 rundll32.exe rundll32.exe PID 2564 wrote to memory of 2772 2564 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\da74221e6e6eee961014701cd7f8be3805b324a602264b6801e766c4991906be.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\da74221e6e6eee961014701cd7f8be3805b324a602264b6801e766c4991906be.dll,#12⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:2772
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:492