Analysis
-
max time kernel
122s -
max time network
147s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 01:44
Static task
static1
Behavioral task
behavioral1
Sample
7d0b26523066341c0a9638d0e265f842b3509a273f3ea0e1f772b0b51a06373b.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
7d0b26523066341c0a9638d0e265f842b3509a273f3ea0e1f772b0b51a06373b.dll
Resource
win10-en-20211208
General
-
Target
7d0b26523066341c0a9638d0e265f842b3509a273f3ea0e1f772b0b51a06373b.dll
-
Size
166KB
-
MD5
2d4425c9f76595f0aa21fad88d82edc4
-
SHA1
0bb28829b5b7b27ba3141ded75d16ca62c1ef761
-
SHA256
7d0b26523066341c0a9638d0e265f842b3509a273f3ea0e1f772b0b51a06373b
-
SHA512
be0f1904acacd8774773366c3d06d28f4a8c6cd74045d7761b5d859c22b8730c4ffc5a433db02b00b41642ecf84435cc76a6ce1c7ed6270f535f33edb26009d3
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\Z: rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 3896 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4448 wrote to memory of 3896 4448 rundll32.exe rundll32.exe PID 4448 wrote to memory of 3896 4448 rundll32.exe rundll32.exe PID 4448 wrote to memory of 3896 4448 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7d0b26523066341c0a9638d0e265f842b3509a273f3ea0e1f772b0b51a06373b.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7d0b26523066341c0a9638d0e265f842b3509a273f3ea0e1f772b0b51a06373b.dll,#12⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken