Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
24-01-2022 02:01
Static task
static1
Behavioral task
behavioral1
Sample
594f66d5c4b99a1c9be01492c397f0b9dffd90043f7dec6dea365ed3cb8ba578.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
594f66d5c4b99a1c9be01492c397f0b9dffd90043f7dec6dea365ed3cb8ba578.dll
Resource
win10-en-20211208
General
-
Target
594f66d5c4b99a1c9be01492c397f0b9dffd90043f7dec6dea365ed3cb8ba578.dll
-
Size
164KB
-
MD5
ac93bcaa2cfb182d588b13af90e17254
-
SHA1
650c0c4c18d69ea564d063182ff4e2f8b40e32fc
-
SHA256
594f66d5c4b99a1c9be01492c397f0b9dffd90043f7dec6dea365ed3cb8ba578
-
SHA512
ebc03ea09132c054241428799e19f11d3cfa3aeff5c5d8cf8b9533936c335e83ea96ba514c55905b45326def5389bc23a5a856041e8db808ed2c246682cc70fc
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\J: rundll32.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
rundll32.exepid process 1548 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 1896 wrote to memory of 1548 1896 rundll32.exe rundll32.exe PID 1896 wrote to memory of 1548 1896 rundll32.exe rundll32.exe PID 1896 wrote to memory of 1548 1896 rundll32.exe rundll32.exe PID 1896 wrote to memory of 1548 1896 rundll32.exe rundll32.exe PID 1896 wrote to memory of 1548 1896 rundll32.exe rundll32.exe PID 1896 wrote to memory of 1548 1896 rundll32.exe rundll32.exe PID 1896 wrote to memory of 1548 1896 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\594f66d5c4b99a1c9be01492c397f0b9dffd90043f7dec6dea365ed3cb8ba578.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\594f66d5c4b99a1c9be01492c397f0b9dffd90043f7dec6dea365ed3cb8ba578.dll,#12⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:1548
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1548-54-0x0000000076491000-0x0000000076493000-memory.dmpFilesize
8KB
-
memory/1548-56-0x0000000000160000-0x000000000016A000-memory.dmpFilesize
40KB
-
memory/1548-57-0x0000000000170000-0x0000000000171000-memory.dmpFilesize
4KB
-
memory/1548-58-0x0000000000180000-0x0000000000181000-memory.dmpFilesize
4KB
-
memory/1548-59-0x0000000000190000-0x0000000000191000-memory.dmpFilesize
4KB
-
memory/1548-60-0x0000000002D20000-0x0000000002DBF000-memory.dmpFilesize
636KB
-
memory/1548-61-0x0000000002DC0000-0x0000000002EED000-memory.dmpFilesize
1.2MB
-
memory/1548-62-0x00000000001F0000-0x000000000020F000-memory.dmpFilesize
124KB
-
memory/1548-64-0x00000000001A0000-0x00000000001A6000-memory.dmpFilesize
24KB
-
memory/1548-63-0x0000000003220000-0x0000000003329000-memory.dmpFilesize
1.0MB