Analysis
-
max time kernel
73s -
max time network
129s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 01:07
Static task
static1
Behavioral task
behavioral1
Sample
c3aeefb9c2496dc0480e09a71615ec59750a993e4ead901e8afde27807023e95.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
c3aeefb9c2496dc0480e09a71615ec59750a993e4ead901e8afde27807023e95.dll
Resource
win10-en-20211208
General
-
Target
c3aeefb9c2496dc0480e09a71615ec59750a993e4ead901e8afde27807023e95.dll
-
Size
116KB
-
MD5
693dc51660715ef8392c7f0677e046be
-
SHA1
f194254a742d6fb1d9e2ec01624993257176a01f
-
SHA256
c3aeefb9c2496dc0480e09a71615ec59750a993e4ead901e8afde27807023e95
-
SHA512
a0dbe72b15bfba16be66e6fadd5630d55bb9c16b6eb59b4ffc1a0a830e81b1153be98799d368346031c09e145aa70005dbf3b81545c40369184d2f95107b04d5
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\Z: rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 3200 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3672 wrote to memory of 3200 3672 rundll32.exe rundll32.exe PID 3672 wrote to memory of 3200 3672 rundll32.exe rundll32.exe PID 3672 wrote to memory of 3200 3672 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c3aeefb9c2496dc0480e09a71615ec59750a993e4ead901e8afde27807023e95.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c3aeefb9c2496dc0480e09a71615ec59750a993e4ead901e8afde27807023e95.dll,#12⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:3200
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:4532