aca0b96126c813b0d29d6fbff9175f8ca62ff2ec6eed83bff76a73ae717cfcb8

General

Target

aca0b96126c813b0d29d6fbff9175f8ca62ff2ec6eed83bff76a73ae717cfcb8.dll
Size

131KB
MD5

1ef3f352d97ba827f446f6e8708aa054
SHA1

eb910b00ff92247044ae7c3006c8946b912f798b
SHA256

aca0b96126c813b0d29d6fbff9175f8ca62ff2ec6eed83bff76a73ae717cfcb8
SHA512

cc58d395b38fe2908a5a6c58ef8a53eadf434ef27eafed19f6564d9cad04761575e0d8c0d1d68a5ee94edf066365d7fee2737c0e76ee4326c73dfee1c7f6b91d

Score

6^/10

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

System Information Discovery

Processes:

rundll32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

644 2852 WerFault.exe rundll32.exe

pid	pid_target	process	target process
644	2852	WerFault.exe	rundll32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

rundll32.exeWerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 644 WerFault.exe
Token: SeBackupPrivilege 644 WerFault.exe
Token: SeDebugPrivilege 644 WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2796 wrote to memory of 2852	2796	rundll32.exe	rundll32.exe
PID 2796 wrote to memory of 2852	2796	rundll32.exe	rundll32.exe
PID 2796 wrote to memory of 2852	2796	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\aca0b96126c813b0d29d6fbff9175f8ca62ff2ec6eed83bff76a73ae717cfcb8.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2796