39c25b45fb1cd7cfc3000bf0060799052000124ac10607f51d16e71e5dc35592

Analysis

max time kernel
42s
max time network
53s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
02/10/2022, 20:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

39c25b45fb1cd7cfc3000bf0060799052000124ac10607f51d16e71e5dc35592.dll
Size

216KB
MD5

3bc080b863aa68efa4a7a291c75e9ba9
SHA1

5c0b8b7a65e5437bdf0ce28839ac192108096f03
SHA256

39c25b45fb1cd7cfc3000bf0060799052000124ac10607f51d16e71e5dc35592
SHA512

28ae6ce0275037d0ea2de404be987089b4cad7ea5535565acf52596ba3740960b32cd92be568b6daf2caf1e6a7e8756c9ac8de49cef2c04fd3f9c2fe247b3c20
SSDEEP

6144:sv80ayHyYc7roVdQTuYOiWB1z1GC53DItkjzfip:sv8loDQy7DzZDzy

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2044	hrl388F.tmp

Loads dropped DLL 2 IoCs

pid	Process
1776	rundll32.exe
1776	rundll32.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	rundll32.exe
File opened (read-only)	\??\L:	rundll32.exe
File opened (read-only)	\??\R:	rundll32.exe
File opened (read-only)	\??\S:	rundll32.exe
File opened (read-only)	\??\T:	rundll32.exe
File opened (read-only)	\??\Y:	rundll32.exe
File opened (read-only)	\??\H:	rundll32.exe
File opened (read-only)	\??\I:	rundll32.exe
File opened (read-only)	\??\J:	rundll32.exe
File opened (read-only)	\??\K:	rundll32.exe
File opened (read-only)	\??\M:	rundll32.exe
File opened (read-only)	\??\W:	rundll32.exe
File opened (read-only)	\??\F:	rundll32.exe
File opened (read-only)	\??\P:	rundll32.exe
File opened (read-only)	\??\U:	rundll32.exe
File opened (read-only)	\??\V:	rundll32.exe
File opened (read-only)	\??\X:	rundll32.exe
File opened (read-only)	\??\E:	rundll32.exe
File opened (read-only)	\??\N:	rundll32.exe
File opened (read-only)	\??\O:	rundll32.exe
File opened (read-only)	\??\Q:	rundll32.exe
File opened (read-only)	\??\Z:	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1344 wrote to memory of 1776	1344	rundll32.exe	27
PID 1344 wrote to memory of 1776	1344	rundll32.exe	27
PID 1344 wrote to memory of 1776	1344	rundll32.exe	27
PID 1344 wrote to memory of 1776	1344	rundll32.exe	27
PID 1344 wrote to memory of 1776	1344	rundll32.exe	27
PID 1344 wrote to memory of 1776	1344	rundll32.exe	27
PID 1344 wrote to memory of 1776	1344	rundll32.exe	27
PID 1776 wrote to memory of 2044	1776	rundll32.exe	28
PID 1776 wrote to memory of 2044	1776	rundll32.exe	28
PID 1776 wrote to memory of 2044	1776	rundll32.exe	28
PID 1776 wrote to memory of 2044	1776	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\39c25b45fb1cd7cfc3000bf0060799052000124ac10607f51d16e71e5dc35592.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\39c25b45fb1cd7cfc3000bf0060799052000124ac10607f51d16e71e5dc35592.dll,#1
  2⤵
  - Loads dropped DLL
  - Enumerates connected drives
  - Suspicious use of WriteProcessMemory
  PID:1776
- - C:\Users\Admin\AppData\Local\Temp\hrl388F.tmp
    C:\Users\Admin\AppData\Local\Temp\hrl388F.tmp
    3⤵
    - Executes dropped EXE
    PID:2044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hrl388F.tmp

Filesize
209KB

MD5
d5450d1885577b308d0c081acc8dcd0b

SHA1
5950c3ec40d452073e96438f60b9af67163fc87d

SHA256
4fd0feb1affaaf2790e36ffc86a72c9ced3077020d9037fbc62950f7b4becd2f

SHA512
b0014a28244a33d2daf4d03d0bfaa487607158564b8993dfbaff6b193066bc8bbba1feac1ec7054e93ffa4867c7e0d7226caa36233887a9c9e8352aeb8115046

Download Submit
\Users\Admin\AppData\Local\Temp\hrl388F.tmp

Filesize
209KB

MD5
d5450d1885577b308d0c081acc8dcd0b

SHA1
5950c3ec40d452073e96438f60b9af67163fc87d

SHA256
4fd0feb1affaaf2790e36ffc86a72c9ced3077020d9037fbc62950f7b4becd2f

SHA512
b0014a28244a33d2daf4d03d0bfaa487607158564b8993dfbaff6b193066bc8bbba1feac1ec7054e93ffa4867c7e0d7226caa36233887a9c9e8352aeb8115046

Download Submit
\Users\Admin\AppData\Local\Temp\hrl388F.tmp

Filesize
209KB

MD5
d5450d1885577b308d0c081acc8dcd0b

SHA1
5950c3ec40d452073e96438f60b9af67163fc87d

SHA256
4fd0feb1affaaf2790e36ffc86a72c9ced3077020d9037fbc62950f7b4becd2f

SHA512
b0014a28244a33d2daf4d03d0bfaa487607158564b8993dfbaff6b193066bc8bbba1feac1ec7054e93ffa4867c7e0d7226caa36233887a9c9e8352aeb8115046

Download Submit
memory/1776-55-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download
memory/1776-61-0x00000000001A0000-0x00000000001AD000-memory.dmp

Filesize
52KB

Download
memory/1776-62-0x00000000001A0000-0x00000000001AD000-memory.dmp

Filesize
52KB

Download
memory/1776-64-0x00000000001A0000-0x00000000001AD000-memory.dmp

Filesize
52KB

Download
memory/1776-65-0x00000000001A0000-0x00000000001AD000-memory.dmp

Filesize
52KB

Download
memory/2044-63-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download