Analysis
-
max time kernel
120s -
max time network
128s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 00:58
Static task
static1
Behavioral task
behavioral1
Sample
d50a0928e267b860e59f4162023ba9e3b004eaf0698595c4e24c69e2e9091566.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
d50a0928e267b860e59f4162023ba9e3b004eaf0698595c4e24c69e2e9091566.dll
Resource
win10-en-20211208
General
-
Target
d50a0928e267b860e59f4162023ba9e3b004eaf0698595c4e24c69e2e9091566.dll
-
Size
115KB
-
MD5
c6d639df4492e2068602b744a25d6ed1
-
SHA1
f033e072e82752db352057f4c61fc2a7a590d194
-
SHA256
d50a0928e267b860e59f4162023ba9e3b004eaf0698595c4e24c69e2e9091566
-
SHA512
a83fd29d81fe2b0fd0d982878f4f042b78385229f69299b803cf27efbbb83f500b9479d90b09fb7bdd4abd7aa85db7b1074cdd4b903775eced5b17529271558c
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\B: rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 2284 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 2828 wrote to memory of 2284 2828 rundll32.exe rundll32.exe PID 2828 wrote to memory of 2284 2828 rundll32.exe rundll32.exe PID 2828 wrote to memory of 2284 2828 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d50a0928e267b860e59f4162023ba9e3b004eaf0698595c4e24c69e2e9091566.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d50a0928e267b860e59f4162023ba9e3b004eaf0698595c4e24c69e2e9091566.dll,#12⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:2284
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:2700