Analysis
-
max time kernel
125s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 00:58
Static task
static1
Behavioral task
behavioral1
Sample
d48edfe661d15d1146923844c2bc79f5992a2c38d4bb60c6d9f67094492194ff.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
d48edfe661d15d1146923844c2bc79f5992a2c38d4bb60c6d9f67094492194ff.dll
Resource
win10-en-20211208
General
-
Target
d48edfe661d15d1146923844c2bc79f5992a2c38d4bb60c6d9f67094492194ff.dll
-
Size
166KB
-
MD5
46a10b1e1fe68e124c86ee237751fd44
-
SHA1
78f29761f7f0f57a8f92e5f23d9e4d2d6465e848
-
SHA256
d48edfe661d15d1146923844c2bc79f5992a2c38d4bb60c6d9f67094492194ff
-
SHA512
c0fbd92fcb136fd5376efba041d4170eccd8bae219812ef00dfc7edfe26f06b651153bdfa2b01d648ebbbc6901c3205790c26a037f85625c0722173d843e633a
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\Y: rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 684 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3728 wrote to memory of 684 3728 rundll32.exe rundll32.exe PID 3728 wrote to memory of 684 3728 rundll32.exe rundll32.exe PID 3728 wrote to memory of 684 3728 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d48edfe661d15d1146923844c2bc79f5992a2c38d4bb60c6d9f67094492194ff.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d48edfe661d15d1146923844c2bc79f5992a2c38d4bb60c6d9f67094492194ff.dll,#12⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:684