a4418c2116da8e81254ff3b332af619f9837d913c76182a5366a3901405ecef3

Analysis

max time kernel
43s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
17-10-2022 22:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4418c2116da8e81254ff3b332af619f9837d913c76182a5366a3901405ecef3.dll
Size

83KB
MD5

cbf791ae024ac4c4a99052267021c523
SHA1

2d003593f9be5a6aebac97b5eb4c8e09f9b18c47
SHA256

a4418c2116da8e81254ff3b332af619f9837d913c76182a5366a3901405ecef3
SHA512

75b149dfec61d9a3faf45dbdd7d2d3166f11e83aef1c00d70340150f26254e378671851bd6171d7c7daf1d2d42f71589917f90ea657487c6abd396e8d385ef90
SSDEEP

1536:a27YDGlFwnzyfwsCVvpoTpMEOyHs27YDGl6Hp6p7C7Vr3s/4gDifHj:kGzwnzyfwsCV+VkyHGG8Hp6p+dswXfj

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1684	hrlF2E8.tmp

Loads dropped DLL 2 IoCs

pid	Process
1488	rundll32.exe
1488	rundll32.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	rundll32.exe
File opened (read-only)	\??\R:	rundll32.exe
File opened (read-only)	\??\Z:	rundll32.exe
File opened (read-only)	\??\O:	rundll32.exe
File opened (read-only)	\??\S:	rundll32.exe
File opened (read-only)	\??\U:	rundll32.exe
File opened (read-only)	\??\V:	rundll32.exe
File opened (read-only)	\??\F:	rundll32.exe
File opened (read-only)	\??\G:	rundll32.exe
File opened (read-only)	\??\J:	rundll32.exe
File opened (read-only)	\??\N:	rundll32.exe
File opened (read-only)	\??\W:	rundll32.exe
File opened (read-only)	\??\Y:	rundll32.exe
File opened (read-only)	\??\E:	rundll32.exe
File opened (read-only)	\??\I:	rundll32.exe
File opened (read-only)	\??\K:	rundll32.exe
File opened (read-only)	\??\L:	rundll32.exe
File opened (read-only)	\??\X:	rundll32.exe
File opened (read-only)	\??\M:	rundll32.exe
File opened (read-only)	\??\P:	rundll32.exe
File opened (read-only)	\??\Q:	rundll32.exe
File opened (read-only)	\??\T:	rundll32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1684	hrlF2E8.tmp

Suspicious behavior: MapViewOfSection 24 IoCs

pid	Process
1684	hrlF2E8.tmp
1684	hrlF2E8.tmp
1684	hrlF2E8.tmp
1684	hrlF2E8.tmp
1684	hrlF2E8.tmp
1684	hrlF2E8.tmp
1684	hrlF2E8.tmp
1684	hrlF2E8.tmp
1684	hrlF2E8.tmp
1684	hrlF2E8.tmp
1684	hrlF2E8.tmp
1684	hrlF2E8.tmp
1684	hrlF2E8.tmp
1684	hrlF2E8.tmp
1684	hrlF2E8.tmp
1684	hrlF2E8.tmp
1684	hrlF2E8.tmp
1684	hrlF2E8.tmp
1684	hrlF2E8.tmp
1684	hrlF2E8.tmp
1684	hrlF2E8.tmp
1684	hrlF2E8.tmp
1684	hrlF2E8.tmp
1684	hrlF2E8.tmp

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1684	hrlF2E8.tmp

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1684	hrlF2E8.tmp
1684	hrlF2E8.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 1488	1960	rundll32.exe	28
PID 1960 wrote to memory of 1488	1960	rundll32.exe	28
PID 1960 wrote to memory of 1488	1960	rundll32.exe	28
PID 1960 wrote to memory of 1488	1960	rundll32.exe	28
PID 1960 wrote to memory of 1488	1960	rundll32.exe	28
PID 1960 wrote to memory of 1488	1960	rundll32.exe	28
PID 1960 wrote to memory of 1488	1960	rundll32.exe	28
PID 1488 wrote to memory of 1684	1488	rundll32.exe	29
PID 1488 wrote to memory of 1684	1488	rundll32.exe	29
PID 1488 wrote to memory of 1684	1488	rundll32.exe	29
PID 1488 wrote to memory of 1684	1488	rundll32.exe	29
PID 1684 wrote to memory of 368	1684	hrlF2E8.tmp	5
PID 1684 wrote to memory of 368	1684	hrlF2E8.tmp	5
PID 1684 wrote to memory of 368	1684	hrlF2E8.tmp	5
PID 1684 wrote to memory of 368	1684	hrlF2E8.tmp	5
PID 1684 wrote to memory of 368	1684	hrlF2E8.tmp	5
PID 1684 wrote to memory of 368	1684	hrlF2E8.tmp	5
PID 1684 wrote to memory of 368	1684	hrlF2E8.tmp	5
PID 1684 wrote to memory of 380	1684	hrlF2E8.tmp	4
PID 1684 wrote to memory of 380	1684	hrlF2E8.tmp	4
PID 1684 wrote to memory of 380	1684	hrlF2E8.tmp	4
PID 1684 wrote to memory of 380	1684	hrlF2E8.tmp	4
PID 1684 wrote to memory of 380	1684	hrlF2E8.tmp	4
PID 1684 wrote to memory of 380	1684	hrlF2E8.tmp	4
PID 1684 wrote to memory of 380	1684	hrlF2E8.tmp	4
PID 1684 wrote to memory of 416	1684	hrlF2E8.tmp	3
PID 1684 wrote to memory of 416	1684	hrlF2E8.tmp	3
PID 1684 wrote to memory of 416	1684	hrlF2E8.tmp	3
PID 1684 wrote to memory of 416	1684	hrlF2E8.tmp	3
PID 1684 wrote to memory of 416	1684	hrlF2E8.tmp	3
PID 1684 wrote to memory of 416	1684	hrlF2E8.tmp	3
PID 1684 wrote to memory of 416	1684	hrlF2E8.tmp	3
PID 1684 wrote to memory of 460	1684	hrlF2E8.tmp	2
PID 1684 wrote to memory of 460	1684	hrlF2E8.tmp	2
PID 1684 wrote to memory of 460	1684	hrlF2E8.tmp	2
PID 1684 wrote to memory of 460	1684	hrlF2E8.tmp	2
PID 1684 wrote to memory of 460	1684	hrlF2E8.tmp	2
PID 1684 wrote to memory of 460	1684	hrlF2E8.tmp	2
PID 1684 wrote to memory of 460	1684	hrlF2E8.tmp	2
PID 1684 wrote to memory of 476	1684	hrlF2E8.tmp	1
PID 1684 wrote to memory of 476	1684	hrlF2E8.tmp	1
PID 1684 wrote to memory of 476	1684	hrlF2E8.tmp	1
PID 1684 wrote to memory of 476	1684	hrlF2E8.tmp	1
PID 1684 wrote to memory of 476	1684	hrlF2E8.tmp	1
PID 1684 wrote to memory of 476	1684	hrlF2E8.tmp	1
PID 1684 wrote to memory of 476	1684	hrlF2E8.tmp	1
PID 1684 wrote to memory of 484	1684	hrlF2E8.tmp	6
PID 1684 wrote to memory of 484	1684	hrlF2E8.tmp	6
PID 1684 wrote to memory of 484	1684	hrlF2E8.tmp	6
PID 1684 wrote to memory of 484	1684	hrlF2E8.tmp	6
PID 1684 wrote to memory of 484	1684	hrlF2E8.tmp	6
PID 1684 wrote to memory of 484	1684	hrlF2E8.tmp	6
PID 1684 wrote to memory of 484	1684	hrlF2E8.tmp	6
PID 1684 wrote to memory of 580	1684	hrlF2E8.tmp	24
PID 1684 wrote to memory of 580	1684	hrlF2E8.tmp	24
PID 1684 wrote to memory of 580	1684	hrlF2E8.tmp	24
PID 1684 wrote to memory of 580	1684	hrlF2E8.tmp	24
PID 1684 wrote to memory of 580	1684	hrlF2E8.tmp	24
PID 1684 wrote to memory of 580	1684	hrlF2E8.tmp	24
PID 1684 wrote to memory of 580	1684	hrlF2E8.tmp	24
PID 1684 wrote to memory of 656	1684	hrlF2E8.tmp	23
PID 1684 wrote to memory of 656	1684	hrlF2E8.tmp	23
PID 1684 wrote to memory of 656	1684	hrlF2E8.tmp	23
PID 1684 wrote to memory of 656	1684	hrlF2E8.tmp	23

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:476

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:460
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:796
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1192
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1128
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:956
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:1100
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1048
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:928
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:340
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  PID:864
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:840
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:736
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:656
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:580

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:380

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:368
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:484

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:1980

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1952

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1268
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\a4418c2116da8e81254ff3b332af619f9837d913c76182a5366a3901405ecef3.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\a4418c2116da8e81254ff3b332af619f9837d913c76182a5366a3901405ecef3.dll,#1
    3⤵
    - Loads dropped DLL
    - Enumerates connected drives
    - Suspicious use of WriteProcessMemory
    PID:1488
  - - C:\Users\Admin\AppData\Local\Temp\hrlF2E8.tmp
      C:\Users\Admin\AppData\Local\Temp\hrlF2E8.tmp
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hrlF2E8.tmp

Filesize
71KB

MD5
3ccbb09bd8062641e5d61f3dddbca6b3

SHA1
f2e629030b59521874d1a2f7ff20a1bfaccb464b

SHA256
9504ee80b660e3ae74bd9ca742fbb5b5aba7106f046dc73fd78faecfb3748577

SHA512
b9bfd23ee9cfb63ca60693b5fb2ebd4869c72f2d1d39aea3119979b092887e6f0ed7f3c4108fcf7f82df6a3d47bb6fd3eed5f82659ff7b7056e6935f3e76c57e

Download Submit
\Users\Admin\AppData\Local\Temp\hrlF2E8.tmp

Filesize
71KB

MD5
3ccbb09bd8062641e5d61f3dddbca6b3

SHA1
f2e629030b59521874d1a2f7ff20a1bfaccb464b

SHA256
9504ee80b660e3ae74bd9ca742fbb5b5aba7106f046dc73fd78faecfb3748577

SHA512
b9bfd23ee9cfb63ca60693b5fb2ebd4869c72f2d1d39aea3119979b092887e6f0ed7f3c4108fcf7f82df6a3d47bb6fd3eed5f82659ff7b7056e6935f3e76c57e

Download Submit
\Users\Admin\AppData\Local\Temp\hrlF2E8.tmp

Filesize
71KB

MD5
3ccbb09bd8062641e5d61f3dddbca6b3

SHA1
f2e629030b59521874d1a2f7ff20a1bfaccb464b

SHA256
9504ee80b660e3ae74bd9ca742fbb5b5aba7106f046dc73fd78faecfb3748577

SHA512
b9bfd23ee9cfb63ca60693b5fb2ebd4869c72f2d1d39aea3119979b092887e6f0ed7f3c4108fcf7f82df6a3d47bb6fd3eed5f82659ff7b7056e6935f3e76c57e

Download Submit
memory/1488-55-0x0000000074AB1000-0x0000000074AB3000-memory.dmp

Filesize
8KB

Download
memory/1488-61-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1488-62-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1488-63-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1684-60-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download