Analysis
-
max time kernel
122s -
max time network
155s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-01-2022 07:56
Static task
static1
Behavioral task
behavioral1
Sample
2253f5222ebad25243cd8e3d7ac416939a7cf4f52e991ee3bd6e2f2847d28faf.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
2253f5222ebad25243cd8e3d7ac416939a7cf4f52e991ee3bd6e2f2847d28faf.dll
Resource
win10-en-20211208
General
-
Target
2253f5222ebad25243cd8e3d7ac416939a7cf4f52e991ee3bd6e2f2847d28faf.dll
-
Size
116KB
-
MD5
fbdecce06dbb41237f8623a2e50daf59
-
SHA1
41a8190bae6dc95c2ee1bf536367a8edf3740765
-
SHA256
2253f5222ebad25243cd8e3d7ac416939a7cf4f52e991ee3bd6e2f2847d28faf
-
SHA512
7966ca39638ddeb2d75ea1635cec515a540c18c2a56139ba7a8c5c7c81af3cb70c7b2a8123f4da4635f5171c6a31eb6a1e280152c0581a13b3655d88cfb061b1
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\T: rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3548 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3488 wrote to memory of 3548 3488 rundll32.exe 68 PID 3488 wrote to memory of 3548 3488 rundll32.exe 68 PID 3488 wrote to memory of 3548 3488 rundll32.exe 68
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2253f5222ebad25243cd8e3d7ac416939a7cf4f52e991ee3bd6e2f2847d28faf.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2253f5222ebad25243cd8e3d7ac416939a7cf4f52e991ee3bd6e2f2847d28faf.dll,#12⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:3548
-
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:4024