Analysis
-
max time kernel
91s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25-06-2022 23:04
General
-
Target
3785ab47343608f1ef6defe047a7b495f9b24538b6dac2d1b87f8bcf2027624f.dll
-
Size
164KB
-
MD5
8f286ca2abef24f99a5d9132699cf104
-
SHA1
dce33985bce7cab1bb1fbc44f16e8c9ceaa0a84a
-
SHA256
3785ab47343608f1ef6defe047a7b495f9b24538b6dac2d1b87f8bcf2027624f
-
SHA512
a877401f5f905e7f8636279be05f27056bfedbcc88cf4632e54df3f3e0979e9381a6a2bd5e44f134d1864f902dfc49296d7831dad6c44366a5ec74bfbfbe93f6
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3785ab47343608f1ef6defe047a7b495f9b24538b6dac2d1b87f8bcf2027624f.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3785ab47343608f1ef6defe047a7b495f9b24538b6dac2d1b87f8bcf2027624f.dll,#12⤵
- Checks computer location settings
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3376-130-0x0000000000000000-mapping.dmp
-
memory/3432-131-0x0000000000000000-mapping.dmp