1af3a4edb0c63f213756d27318836a9f9fc818cebba0c0f0eadbccdc2ac5013f

Analysis

max time kernel
119s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
07-06-2022 21:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1af3a4edb0c63f213756d27318836a9f9fc818cebba0c0f0eadbccdc2ac5013f.dll
Size

164KB
MD5

91e3112ea226e5b55e9934b991ba68bb
SHA1

ebdd0bdf7e25ae3692625ed2af46b4eea553db34
SHA256

1af3a4edb0c63f213756d27318836a9f9fc818cebba0c0f0eadbccdc2ac5013f
SHA512

d92e7ef2af9bab5ecb13cb68a7b33549550da8f16741fc9b5a29ab481dd585892cc5fc57b1fb84741dd5e183d861302558576b7a9728e3211c1a0f516be89ca7

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
File opened (read-only)	\??\U:	rundll32.exe
File opened (read-only)	\??\A:	rundll32.exe
File opened (read-only)	\??\M:	rundll32.exe
File opened (read-only)	\??\I:	rundll32.exe
File opened (read-only)	\??\J:	rundll32.exe
File opened (read-only)	\??\K:	rundll32.exe
File opened (read-only)	\??\N:	rundll32.exe
File opened (read-only)	\??\R:	rundll32.exe
File opened (read-only)	\??\W:	rundll32.exe
File opened (read-only)	\??\F:	rundll32.exe
File opened (read-only)	\??\G:	rundll32.exe
File opened (read-only)	\??\H:	rundll32.exe
File opened (read-only)	\??\L:	rundll32.exe
File opened (read-only)	\??\P:	rundll32.exe
File opened (read-only)	\??\Q:	rundll32.exe
File opened (read-only)	\??\T:	rundll32.exe
File opened (read-only)	\??\X:	rundll32.exe
File opened (read-only)	\??\B:	rundll32.exe
File opened (read-only)	\??\E:	rundll32.exe
File opened (read-only)	\??\V:	rundll32.exe
File opened (read-only)	\??\Y:	rundll32.exe
File opened (read-only)	\??\Z:	rundll32.exe
File opened (read-only)	\??\O:	rundll32.exe
File opened (read-only)	\??\S:	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

3432 rundll32.exe
3432 rundll32.exe

pid	process
3432	rundll32.exe
3432	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3368 wrote to memory of 3432	3368	rundll32.exe	rundll32.exe
PID 3368 wrote to memory of 3432	3368	rundll32.exe	rundll32.exe
PID 3368 wrote to memory of 3432	3368	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1af3a4edb0c63f213756d27318836a9f9fc818cebba0c0f0eadbccdc2ac5013f.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3368

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1af3a4edb0c63f213756d27318836a9f9fc818cebba0c0f0eadbccdc2ac5013f.dll,#1
2⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:3432

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3432-130-0x0000000000000000-mapping.dmp

Download