Analysis
-
max time kernel
118s -
max time network
137s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
28-01-2022 18:26
Static task
static1
Behavioral task
behavioral1
Sample
c5fe4b5d1803a096c1a4330512406595bb585846b4a691459de1a65b6b390409.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
c5fe4b5d1803a096c1a4330512406595bb585846b4a691459de1a65b6b390409.dll
Resource
win10-en-20211208
General
-
Target
c5fe4b5d1803a096c1a4330512406595bb585846b4a691459de1a65b6b390409.dll
-
Size
131KB
-
MD5
f2e83452c8af69d031ab5b4f6442f802
-
SHA1
693e42d60d6b58127c8554d94f658edc0d933fa0
-
SHA256
c5fe4b5d1803a096c1a4330512406595bb585846b4a691459de1a65b6b390409
-
SHA512
cc139b2fb39e7bdde8cf138f17a67cadd8cb8d83c0a271feb5726a55a6d74e68e90b670573d29faca7ac81e631aa0bfb8748b07ab3254db4e52408b22d708092
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\E: rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4112 3440 WerFault.exe rundll32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
rundll32.exeWerFault.exepid process 3440 rundll32.exe 3440 rundll32.exe 3440 rundll32.exe 3440 rundll32.exe 4112 WerFault.exe 4112 WerFault.exe 4112 WerFault.exe 4112 WerFault.exe 4112 WerFault.exe 4112 WerFault.exe 4112 WerFault.exe 4112 WerFault.exe 4112 WerFault.exe 4112 WerFault.exe 4112 WerFault.exe 4112 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 4112 WerFault.exe Token: SeBackupPrivilege 4112 WerFault.exe Token: SeDebugPrivilege 4112 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1480 wrote to memory of 3440 1480 rundll32.exe rundll32.exe PID 1480 wrote to memory of 3440 1480 rundll32.exe rundll32.exe PID 1480 wrote to memory of 3440 1480 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c5fe4b5d1803a096c1a4330512406595bb585846b4a691459de1a65b6b390409.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c5fe4b5d1803a096c1a4330512406595bb585846b4a691459de1a65b6b390409.dll,#12⤵
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3440 -s 6843⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken