Analysis
-
max time kernel
121s -
max time network
117s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
28-01-2022 18:05
Static task
static1
Behavioral task
behavioral1
Sample
d6c53d9341dda1252ada3861898840be4d669abae2b983ab9bf5259b84de7525.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
d6c53d9341dda1252ada3861898840be4d669abae2b983ab9bf5259b84de7525.dll
Resource
win10-en-20211208
General
-
Target
d6c53d9341dda1252ada3861898840be4d669abae2b983ab9bf5259b84de7525.dll
-
Size
130KB
-
MD5
0f270db9ab9361e20058b8c6129bf30e
-
SHA1
ffc0baa6c0a16d9b2ff92402c909106154f15d33
-
SHA256
d6c53d9341dda1252ada3861898840be4d669abae2b983ab9bf5259b84de7525
-
SHA512
83ce2d7998fcc9f4777e075319447bd57f540fe6aa421d9cf6b8a45f1452097aecc77c257fe25883de555f03c8ab51611f64c3976de737d9738ec0c3d9dfc1cb
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\U: rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1876 804 WerFault.exe rundll32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
rundll32.exeWerFault.exepid process 804 rundll32.exe 804 rundll32.exe 1876 WerFault.exe 1876 WerFault.exe 1876 WerFault.exe 1876 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1876 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1876 WerFault.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1084 wrote to memory of 804 1084 rundll32.exe rundll32.exe PID 1084 wrote to memory of 804 1084 rundll32.exe rundll32.exe PID 1084 wrote to memory of 804 1084 rundll32.exe rundll32.exe PID 1084 wrote to memory of 804 1084 rundll32.exe rundll32.exe PID 1084 wrote to memory of 804 1084 rundll32.exe rundll32.exe PID 1084 wrote to memory of 804 1084 rundll32.exe rundll32.exe PID 1084 wrote to memory of 804 1084 rundll32.exe rundll32.exe PID 804 wrote to memory of 1876 804 rundll32.exe WerFault.exe PID 804 wrote to memory of 1876 804 rundll32.exe WerFault.exe PID 804 wrote to memory of 1876 804 rundll32.exe WerFault.exe PID 804 wrote to memory of 1876 804 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d6c53d9341dda1252ada3861898840be4d669abae2b983ab9bf5259b84de7525.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d6c53d9341dda1252ada3861898840be4d669abae2b983ab9bf5259b84de7525.dll,#12⤵
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 2803⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken