Analysis
-
max time kernel
128s -
max time network
142s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-01-2022 07:55
Static task
static1
Behavioral task
behavioral1
Sample
28eb94bb288256d1debf8ee01c29144fc9615d2b83c46de98b4509f74de55145.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
28eb94bb288256d1debf8ee01c29144fc9615d2b83c46de98b4509f74de55145.dll
Resource
win10-en-20211208
General
-
Target
28eb94bb288256d1debf8ee01c29144fc9615d2b83c46de98b4509f74de55145.dll
-
Size
166KB
-
MD5
95eedf3ace7932071bcb28e3a2780ad1
-
SHA1
0248d45fe4261ffd157c60b130b5935d731edaa7
-
SHA256
28eb94bb288256d1debf8ee01c29144fc9615d2b83c46de98b4509f74de55145
-
SHA512
cba0e857421b93b39ad6b0efc19609fc880d8c45f743a77e969f51dd1362d4bb8d8d6af56073675e033e77073d2a54ad64929001712d7dcb0b96a83940a06126
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\Z: rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3600 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3336 wrote to memory of 3600 3336 rundll32.exe 68 PID 3336 wrote to memory of 3600 3336 rundll32.exe 68 PID 3336 wrote to memory of 3600 3336 rundll32.exe 68
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\28eb94bb288256d1debf8ee01c29144fc9615d2b83c46de98b4509f74de55145.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3336 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\28eb94bb288256d1debf8ee01c29144fc9615d2b83c46de98b4509f74de55145.dll,#12⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:3600
-