Analysis
-
max time kernel
118s -
max time network
172s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-01-2022 08:04
Static task
static1
Behavioral task
behavioral1
Sample
0ef8dacbc9a5a1c5d0084f2ecc3296af115903e1f693001a156af0da2ceb5817.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0ef8dacbc9a5a1c5d0084f2ecc3296af115903e1f693001a156af0da2ceb5817.dll
Resource
win10-en-20211208
General
-
Target
0ef8dacbc9a5a1c5d0084f2ecc3296af115903e1f693001a156af0da2ceb5817.dll
-
Size
114KB
-
MD5
6587e353c90cb81435b1ef20f1a1861d
-
SHA1
e74f0a6aefd4b8f943f00cd35f9dbc2274cc5db4
-
SHA256
0ef8dacbc9a5a1c5d0084f2ecc3296af115903e1f693001a156af0da2ceb5817
-
SHA512
278b101714b5ad786d55bcbef8eb500d2ebd1d55806c2ca7f8f6d17a0bf1d628220f3606ee0fc724501fb2891720e6fd2544520a9d92ba0e5ff62047729ee67e
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\G: rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 2400 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 392 wrote to memory of 2400 392 rundll32.exe rundll32.exe PID 392 wrote to memory of 2400 392 rundll32.exe rundll32.exe PID 392 wrote to memory of 2400 392 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0ef8dacbc9a5a1c5d0084f2ecc3296af115903e1f693001a156af0da2ceb5817.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0ef8dacbc9a5a1c5d0084f2ecc3296af115903e1f693001a156af0da2ceb5817.dll,#12⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:2400
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3212