Analysis
-
max time kernel
79s -
max time network
134s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-01-2022 07:38
Static task
static1
Behavioral task
behavioral1
Sample
fd4363b4f508b066bec54f0980c0d58c12248c95b0a021ca02054738bc0da94d.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
fd4363b4f508b066bec54f0980c0d58c12248c95b0a021ca02054738bc0da94d.dll
Resource
win10-en-20211208
General
-
Target
fd4363b4f508b066bec54f0980c0d58c12248c95b0a021ca02054738bc0da94d.dll
-
Size
166KB
-
MD5
084c5115e946636ef03e8a555b6bf060
-
SHA1
e9f9c357dd08e653ee7ffd17943773327a18c93f
-
SHA256
fd4363b4f508b066bec54f0980c0d58c12248c95b0a021ca02054738bc0da94d
-
SHA512
40d651021c4a3058d1c726bcfaea94c70c7d6fe9ffa3e3cd19db058864c018a32e26fefa3f70ddb635cb1ec31afb958112c87e2ee1e6cb1c838e8ee2a28088b6
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\Z: rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2920 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 528 wrote to memory of 2920 528 rundll32.exe 69 PID 528 wrote to memory of 2920 528 rundll32.exe 69 PID 528 wrote to memory of 2920 528 rundll32.exe 69
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fd4363b4f508b066bec54f0980c0d58c12248c95b0a021ca02054738bc0da94d.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fd4363b4f508b066bec54f0980c0d58c12248c95b0a021ca02054738bc0da94d.dll,#12⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:2920
-
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:1740