Analysis
-
max time kernel
148s -
max time network
170s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 00:57
Static task
static1
Behavioral task
behavioral1
Sample
d6a0b7812b3ee8fbf81d40db94094facc25645689f4109e5d7983e8cb49990ec.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
d6a0b7812b3ee8fbf81d40db94094facc25645689f4109e5d7983e8cb49990ec.dll
Resource
win10-en-20211208
General
-
Target
d6a0b7812b3ee8fbf81d40db94094facc25645689f4109e5d7983e8cb49990ec.dll
-
Size
164KB
-
MD5
c37804708ee284575f87bd0e365be9d9
-
SHA1
7b8f73cd90e344db7a4697fb6731cd953b1dfe03
-
SHA256
d6a0b7812b3ee8fbf81d40db94094facc25645689f4109e5d7983e8cb49990ec
-
SHA512
f2cca7e4bad7d683d47e5fc7fabb79024a8d5932b2b0206b11e66a2cae52d4e50626d3f0494cc3709885e1e40985295dee0eb02e7e44e7dfbb3b6fa7b30e4427
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\U: rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 2800 rundll32.exe 2800 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 616 wrote to memory of 2800 616 rundll32.exe rundll32.exe PID 616 wrote to memory of 2800 616 rundll32.exe rundll32.exe PID 616 wrote to memory of 2800 616 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d6a0b7812b3ee8fbf81d40db94094facc25645689f4109e5d7983e8cb49990ec.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:616 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d6a0b7812b3ee8fbf81d40db94094facc25645689f4109e5d7983e8cb49990ec.dll,#12⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:2800