Analysis
-
max time kernel
155s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
31-05-2022 05:45
Static task
static1
Behavioral task
behavioral1
Sample
06864c7267f5c787ed4ecac36f45acb28a631648577c57b4ea512a32e303a5cb.dll
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
06864c7267f5c787ed4ecac36f45acb28a631648577c57b4ea512a32e303a5cb.dll
Resource
win10v2004-20220414-en
General
-
Target
06864c7267f5c787ed4ecac36f45acb28a631648577c57b4ea512a32e303a5cb.dll
-
Size
164KB
-
MD5
53d441fc110b6b172f9b3e0243f47734
-
SHA1
bd75157fe24df7ede01b66f8e5fc5f2b20354e95
-
SHA256
06864c7267f5c787ed4ecac36f45acb28a631648577c57b4ea512a32e303a5cb
-
SHA512
c9e1227de7f4a27f249e214adc73199cb8dfc74c801fc5a132fe536f0b9f750a4e5fdd8e3a232a0fcf32b5938ca083899724d6a654de1542b8c396af89ac1a8f
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\A: rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 3232 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3560 wrote to memory of 3232 3560 rundll32.exe rundll32.exe PID 3560 wrote to memory of 3232 3560 rundll32.exe rundll32.exe PID 3560 wrote to memory of 3232 3560 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\06864c7267f5c787ed4ecac36f45acb28a631648577c57b4ea512a32e303a5cb.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\06864c7267f5c787ed4ecac36f45acb28a631648577c57b4ea512a32e303a5cb.dll,#12⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3232-130-0x0000000000000000-mapping.dmp