Analysis
-
max time kernel
83s -
max time network
149s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 01:06
Static task
static1
Behavioral task
behavioral1
Sample
c6bbcbd392e5828b0fd1130e4c27cf352415295b0428c6b1ce6707528cfa8502.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
c6bbcbd392e5828b0fd1130e4c27cf352415295b0428c6b1ce6707528cfa8502.dll
Resource
win10-en-20211208
General
-
Target
c6bbcbd392e5828b0fd1130e4c27cf352415295b0428c6b1ce6707528cfa8502.dll
-
Size
116KB
-
MD5
37d43403b20d57d78f8c4c646519d37f
-
SHA1
d8166955e745633324423508cdd4924d5e1af8da
-
SHA256
c6bbcbd392e5828b0fd1130e4c27cf352415295b0428c6b1ce6707528cfa8502
-
SHA512
2ad1ce6da0ec326fcbb6a759ac614b7e7bd6303c42e269c4405a82e5c7a8d8e2d1f6faf146fd7d176638a2c6d9f098236f83460c46252e2235ad88dd3eb45d13
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\Z: rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 2768 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 2604 wrote to memory of 2768 2604 rundll32.exe rundll32.exe PID 2604 wrote to memory of 2768 2604 rundll32.exe rundll32.exe PID 2604 wrote to memory of 2768 2604 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c6bbcbd392e5828b0fd1130e4c27cf352415295b0428c6b1ce6707528cfa8502.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c6bbcbd392e5828b0fd1130e4c27cf352415295b0428c6b1ce6707528cfa8502.dll,#12⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:2768