Analysis
-
max time kernel
119s -
max time network
142s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
28-01-2022 19:42
Static task
static1
Behavioral task
behavioral1
Sample
8ee4dbbdcfbbe13669f0484b168d5d9fa7b3db7732b567c9ae507f3bdd39afd3.dll
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
8ee4dbbdcfbbe13669f0484b168d5d9fa7b3db7732b567c9ae507f3bdd39afd3.dll
Resource
win10-en-20211208
windows10_x64
0 signatures
0 seconds
General
-
Target
8ee4dbbdcfbbe13669f0484b168d5d9fa7b3db7732b567c9ae507f3bdd39afd3.dll
-
Size
130KB
-
MD5
80604b65968dcb6b013d182203e016ae
-
SHA1
cb80aaeaa2f500d58e390d7d5e5e7f58917a2636
-
SHA256
8ee4dbbdcfbbe13669f0484b168d5d9fa7b3db7732b567c9ae507f3bdd39afd3
-
SHA512
e7bfcc6b3495459ca0f51b2ccb4042437e940143aaf2d62074c7f004eac5bbb4f9492ce2003833f661de50995cf1336330b3f42f17ee32ca3004850104fb7818
Score
6/10
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\S: rundll32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3064 3476 WerFault.exe 69 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 3476 rundll32.exe 3476 rundll32.exe 3476 rundll32.exe 3476 rundll32.exe 3064 WerFault.exe 3064 WerFault.exe 3064 WerFault.exe 3064 WerFault.exe 3064 WerFault.exe 3064 WerFault.exe 3064 WerFault.exe 3064 WerFault.exe 3064 WerFault.exe 3064 WerFault.exe 3064 WerFault.exe 3064 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 3064 WerFault.exe Token: SeBackupPrivilege 3064 WerFault.exe Token: SeDebugPrivilege 3064 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2820 wrote to memory of 3476 2820 rundll32.exe 69 PID 2820 wrote to memory of 3476 2820 rundll32.exe 69 PID 2820 wrote to memory of 3476 2820 rundll32.exe 69
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8ee4dbbdcfbbe13669f0484b168d5d9fa7b3db7732b567c9ae507f3bdd39afd3.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8ee4dbbdcfbbe13669f0484b168d5d9fa7b3db7732b567c9ae507f3bdd39afd3.dll,#12⤵
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3476 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3476 -s 6803⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3064
-
-