4fb1ee653ab61e7d878a0ccdd62f8cd85b67bc4c51f145d6b5e822c41e2f00c5

Analysis

max time kernel
118s
max time network
119s
platform
windows10_x64
resource
win10-en-20211208
submitted
24-01-2022 02:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4fb1ee653ab61e7d878a0ccdd62f8cd85b67bc4c51f145d6b5e822c41e2f00c5.dll
Size

164KB
MD5

c3f9726a402dab37dfade6f8ac43f22a
SHA1

3e8363fb1fb4025aba344e9e3b6683f97ded19f1
SHA256

4fb1ee653ab61e7d878a0ccdd62f8cd85b67bc4c51f145d6b5e822c41e2f00c5
SHA512

8322d2e246eda908bf6d895418e0cd41cec7e25bddef7ea3be16a86525f6a8abb40abe2394f4855fca51f73fd14d161a31cc3292dc34ba932b1a482d83068c7e

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
File opened (read-only)	\??\H:	rundll32.exe
File opened (read-only)	\??\M:	rundll32.exe
File opened (read-only)	\??\O:	rundll32.exe
File opened (read-only)	\??\R:	rundll32.exe
File opened (read-only)	\??\S:	rundll32.exe
File opened (read-only)	\??\T:	rundll32.exe
File opened (read-only)	\??\F:	rundll32.exe
File opened (read-only)	\??\K:	rundll32.exe
File opened (read-only)	\??\N:	rundll32.exe
File opened (read-only)	\??\Q:	rundll32.exe
File opened (read-only)	\??\A:	rundll32.exe
File opened (read-only)	\??\P:	rundll32.exe
File opened (read-only)	\??\V:	rundll32.exe
File opened (read-only)	\??\Y:	rundll32.exe
File opened (read-only)	\??\U:	rundll32.exe
File opened (read-only)	\??\W:	rundll32.exe
File opened (read-only)	\??\B:	rundll32.exe
File opened (read-only)	\??\E:	rundll32.exe
File opened (read-only)	\??\G:	rundll32.exe
File opened (read-only)	\??\I:	rundll32.exe
File opened (read-only)	\??\J:	rundll32.exe
File opened (read-only)	\??\L:	rundll32.exe
File opened (read-only)	\??\X:	rundll32.exe
File opened (read-only)	\??\Z:	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rundll32.exe

description pid process

Token: SeDebugPrivilege 3120 rundll32.exe

description	pid	process
Token: SeDebugPrivilege	3120	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3944 wrote to memory of 3120	3944	rundll32.exe	rundll32.exe
PID 3944 wrote to memory of 3120	3944	rundll32.exe	rundll32.exe
PID 3944 wrote to memory of 3120	3944	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4fb1ee653ab61e7d878a0ccdd62f8cd85b67bc4c51f145d6b5e822c41e2f00c5.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3944

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4fb1ee653ab61e7d878a0ccdd62f8cd85b67bc4c51f145d6b5e822c41e2f00c5.dll,#1
2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:3120

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:588

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads