Analysis
-
max time kernel
91s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25-06-2022 23:04
Static task
static1
Behavioral task
behavioral1
Sample
3785ab47343608f1ef6defe047a7b495f9b24538b6dac2d1b87f8bcf2027624f.dll
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3785ab47343608f1ef6defe047a7b495f9b24538b6dac2d1b87f8bcf2027624f.dll
Resource
win10v2004-20220414-en
General
-
Target
3785ab47343608f1ef6defe047a7b495f9b24538b6dac2d1b87f8bcf2027624f.dll
-
Size
164KB
-
MD5
8f286ca2abef24f99a5d9132699cf104
-
SHA1
dce33985bce7cab1bb1fbc44f16e8c9ceaa0a84a
-
SHA256
3785ab47343608f1ef6defe047a7b495f9b24538b6dac2d1b87f8bcf2027624f
-
SHA512
a877401f5f905e7f8636279be05f27056bfedbcc88cf4632e54df3f3e0979e9381a6a2bd5e44f134d1864f902dfc49296d7831dad6c44366a5ec74bfbfbe93f6
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation rundll32.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\Z: rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 3376 rundll32.exe 3376 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4920 wrote to memory of 3376 4920 rundll32.exe rundll32.exe PID 4920 wrote to memory of 3376 4920 rundll32.exe rundll32.exe PID 4920 wrote to memory of 3376 4920 rundll32.exe rundll32.exe PID 3376 wrote to memory of 3432 3376 rundll32.exe cmd.exe PID 3376 wrote to memory of 3432 3376 rundll32.exe cmd.exe PID 3376 wrote to memory of 3432 3376 rundll32.exe cmd.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3785ab47343608f1ef6defe047a7b495f9b24538b6dac2d1b87f8bcf2027624f.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3785ab47343608f1ef6defe047a7b495f9b24538b6dac2d1b87f8bcf2027624f.dll,#12⤵
- Checks computer location settings
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵