Analysis
-
max time kernel
120s -
max time network
134s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-01-2022 08:03
Static task
static1
Behavioral task
behavioral1
Sample
0f6e6df2cebc11470dae45c4768b1e2905e011678b2b06bc264cc567fb6251df.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0f6e6df2cebc11470dae45c4768b1e2905e011678b2b06bc264cc567fb6251df.dll
Resource
win10-en-20211208
General
-
Target
0f6e6df2cebc11470dae45c4768b1e2905e011678b2b06bc264cc567fb6251df.dll
-
Size
116KB
-
MD5
1c8928e074be67385a44e301df836133
-
SHA1
954ac2ce6805cfc93006fef5f0562b7475883b75
-
SHA256
0f6e6df2cebc11470dae45c4768b1e2905e011678b2b06bc264cc567fb6251df
-
SHA512
b991d95a37e0bce8ddfd54032cf61ff8f6c592c74f02e03bbc837f094ea1da90f3b01fe4b774f48bbaa725b6e86b15a2d42cf7031ceb998838bd1d3aa7cbadb3
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\P: rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 4060 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3712 wrote to memory of 4060 3712 rundll32.exe rundll32.exe PID 3712 wrote to memory of 4060 3712 rundll32.exe rundll32.exe PID 3712 wrote to memory of 4060 3712 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0f6e6df2cebc11470dae45c4768b1e2905e011678b2b06bc264cc567fb6251df.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0f6e6df2cebc11470dae45c4768b1e2905e011678b2b06bc264cc567fb6251df.dll,#12⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:4060
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:4388