de31742538940969a5949b1e2343775a4ae3cbb960284c4b140cf90e49d70242

Analysis

max time kernel
38s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
28/10/2022, 21:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de31742538940969a5949b1e2343775a4ae3cbb960284c4b140cf90e49d70242.dll
Size

73KB
MD5

006f62def479b56aea5a32c4bfd5a8a0
SHA1

3ece33765e1196046e96ed9f39bc894d6138e7c2
SHA256

de31742538940969a5949b1e2343775a4ae3cbb960284c4b140cf90e49d70242
SHA512

b70f87271136401fc495f426e8fafa7f758f830acbe7c925017e218ba31b61cb21c59e39f361cda1fc88ed2618287e88c61ef8f0e10a245c2e606587fd3bf8c6
SSDEEP

1536:omgrayLgKh8/HIYNcn0CUjWrPyzVmgaghTuItF9Bmx/v2n6:oNkKh8/HIYNc0bWTyzV9acTztdmxX

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1904	hrl1B8D.tmp

Loads dropped DLL 2 IoCs

pid	Process
916	rundll32.exe
916	rundll32.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	rundll32.exe
File opened (read-only)	\??\W:	rundll32.exe
File opened (read-only)	\??\X:	rundll32.exe
File opened (read-only)	\??\Y:	rundll32.exe
File opened (read-only)	\??\Z:	rundll32.exe
File opened (read-only)	\??\E:	rundll32.exe
File opened (read-only)	\??\Q:	rundll32.exe
File opened (read-only)	\??\S:	rundll32.exe
File opened (read-only)	\??\U:	rundll32.exe
File opened (read-only)	\??\M:	rundll32.exe
File opened (read-only)	\??\H:	rundll32.exe
File opened (read-only)	\??\I:	rundll32.exe
File opened (read-only)	\??\L:	rundll32.exe
File opened (read-only)	\??\V:	rundll32.exe
File opened (read-only)	\??\G:	rundll32.exe
File opened (read-only)	\??\J:	rundll32.exe
File opened (read-only)	\??\N:	rundll32.exe
File opened (read-only)	\??\O:	rundll32.exe
File opened (read-only)	\??\P:	rundll32.exe
File opened (read-only)	\??\R:	rundll32.exe
File opened (read-only)	\??\T:	rundll32.exe
File opened (read-only)	\??\F:	rundll32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1904	hrl1B8D.tmp

Suspicious behavior: MapViewOfSection 23 IoCs

pid	Process
1904	hrl1B8D.tmp
1904	hrl1B8D.tmp
1904	hrl1B8D.tmp
1904	hrl1B8D.tmp
1904	hrl1B8D.tmp
1904	hrl1B8D.tmp
1904	hrl1B8D.tmp
1904	hrl1B8D.tmp
1904	hrl1B8D.tmp
1904	hrl1B8D.tmp
1904	hrl1B8D.tmp
1904	hrl1B8D.tmp
1904	hrl1B8D.tmp
1904	hrl1B8D.tmp
1904	hrl1B8D.tmp
1904	hrl1B8D.tmp
1904	hrl1B8D.tmp
1904	hrl1B8D.tmp
1904	hrl1B8D.tmp
1904	hrl1B8D.tmp
1904	hrl1B8D.tmp
1904	hrl1B8D.tmp
1904	hrl1B8D.tmp

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1904	hrl1B8D.tmp

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1904	hrl1B8D.tmp
1904	hrl1B8D.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 916	880	rundll32.exe	17
PID 880 wrote to memory of 916	880	rundll32.exe	17
PID 880 wrote to memory of 916	880	rundll32.exe	17
PID 880 wrote to memory of 916	880	rundll32.exe	17
PID 880 wrote to memory of 916	880	rundll32.exe	17
PID 880 wrote to memory of 916	880	rundll32.exe	17
PID 880 wrote to memory of 916	880	rundll32.exe	17
PID 916 wrote to memory of 1904	916	rundll32.exe	21
PID 916 wrote to memory of 1904	916	rundll32.exe	21
PID 916 wrote to memory of 1904	916	rundll32.exe	21
PID 916 wrote to memory of 1904	916	rundll32.exe	21
PID 1904 wrote to memory of 368	1904	hrl1B8D.tmp	5
PID 1904 wrote to memory of 368	1904	hrl1B8D.tmp	5
PID 1904 wrote to memory of 368	1904	hrl1B8D.tmp	5
PID 1904 wrote to memory of 368	1904	hrl1B8D.tmp	5
PID 1904 wrote to memory of 368	1904	hrl1B8D.tmp	5
PID 1904 wrote to memory of 368	1904	hrl1B8D.tmp	5
PID 1904 wrote to memory of 368	1904	hrl1B8D.tmp	5
PID 1904 wrote to memory of 376	1904	hrl1B8D.tmp	4
PID 1904 wrote to memory of 376	1904	hrl1B8D.tmp	4
PID 1904 wrote to memory of 376	1904	hrl1B8D.tmp	4
PID 1904 wrote to memory of 376	1904	hrl1B8D.tmp	4
PID 1904 wrote to memory of 376	1904	hrl1B8D.tmp	4
PID 1904 wrote to memory of 376	1904	hrl1B8D.tmp	4
PID 1904 wrote to memory of 376	1904	hrl1B8D.tmp	4
PID 1904 wrote to memory of 416	1904	hrl1B8D.tmp	3
PID 1904 wrote to memory of 416	1904	hrl1B8D.tmp	3
PID 1904 wrote to memory of 416	1904	hrl1B8D.tmp	3
PID 1904 wrote to memory of 416	1904	hrl1B8D.tmp	3
PID 1904 wrote to memory of 416	1904	hrl1B8D.tmp	3
PID 1904 wrote to memory of 416	1904	hrl1B8D.tmp	3
PID 1904 wrote to memory of 416	1904	hrl1B8D.tmp	3
PID 1904 wrote to memory of 460	1904	hrl1B8D.tmp	2
PID 1904 wrote to memory of 460	1904	hrl1B8D.tmp	2
PID 1904 wrote to memory of 460	1904	hrl1B8D.tmp	2
PID 1904 wrote to memory of 460	1904	hrl1B8D.tmp	2
PID 1904 wrote to memory of 460	1904	hrl1B8D.tmp	2
PID 1904 wrote to memory of 460	1904	hrl1B8D.tmp	2
PID 1904 wrote to memory of 460	1904	hrl1B8D.tmp	2
PID 1904 wrote to memory of 476	1904	hrl1B8D.tmp	1
PID 1904 wrote to memory of 476	1904	hrl1B8D.tmp	1
PID 1904 wrote to memory of 476	1904	hrl1B8D.tmp	1
PID 1904 wrote to memory of 476	1904	hrl1B8D.tmp	1
PID 1904 wrote to memory of 476	1904	hrl1B8D.tmp	1
PID 1904 wrote to memory of 476	1904	hrl1B8D.tmp	1
PID 1904 wrote to memory of 476	1904	hrl1B8D.tmp	1
PID 1904 wrote to memory of 484	1904	hrl1B8D.tmp	8
PID 1904 wrote to memory of 484	1904	hrl1B8D.tmp	8
PID 1904 wrote to memory of 484	1904	hrl1B8D.tmp	8
PID 1904 wrote to memory of 484	1904	hrl1B8D.tmp	8
PID 1904 wrote to memory of 484	1904	hrl1B8D.tmp	8
PID 1904 wrote to memory of 484	1904	hrl1B8D.tmp	8
PID 1904 wrote to memory of 484	1904	hrl1B8D.tmp	8
PID 1904 wrote to memory of 600	1904	hrl1B8D.tmp	28
PID 1904 wrote to memory of 600	1904	hrl1B8D.tmp	28
PID 1904 wrote to memory of 600	1904	hrl1B8D.tmp	28
PID 1904 wrote to memory of 600	1904	hrl1B8D.tmp	28
PID 1904 wrote to memory of 600	1904	hrl1B8D.tmp	28
PID 1904 wrote to memory of 600	1904	hrl1B8D.tmp	28
PID 1904 wrote to memory of 600	1904	hrl1B8D.tmp	28
PID 1904 wrote to memory of 676	1904	hrl1B8D.tmp	27
PID 1904 wrote to memory of 676	1904	hrl1B8D.tmp	27
PID 1904 wrote to memory of 676	1904	hrl1B8D.tmp	27
PID 1904 wrote to memory of 676	1904	hrl1B8D.tmp	27

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:476

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:460
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:1680
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:1644
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1224
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1052
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:452
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:336
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  PID:888
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:844
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:816
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:756
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:676
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:600

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:376

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:368
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:484

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1340

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1136

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1396
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\de31742538940969a5949b1e2343775a4ae3cbb960284c4b140cf90e49d70242.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:880
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\de31742538940969a5949b1e2343775a4ae3cbb960284c4b140cf90e49d70242.dll,#1
    3⤵
    - Loads dropped DLL
    - Enumerates connected drives
    - Suspicious use of WriteProcessMemory
    PID:916
  - - C:\Users\Admin\AppData\Local\Temp\hrl1B8D.tmp
      C:\Users\Admin\AppData\Local\Temp\hrl1B8D.tmp
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hrl1B8D.tmp

Filesize
50KB

MD5
056df4ad75e78fa3e968a95374d27f80

SHA1
2a903d287068a3ab040564f9450be68e68e5aaee

SHA256
d599bc8b8a4a9a885b083c77bf4c14105382d095ab62e676af1f4ed98c913724

SHA512
4856e84d59e877d28a0a35be17fa0b6c19249cabfb2d248e92eaff786ffcc95a5a8e122f2af4d0d04295ab371f14ed5210209c35f8f13aa393218e904455f643

Download Submit
\Users\Admin\AppData\Local\Temp\hrl1B8D.tmp

Filesize
20KB

MD5
3398bf5c2c2b3f80ea042e48307f3b95

SHA1
64dab5c8e0ad97d1dfcfdd8b9746838dbe68e9f8

SHA256
a1d5620a16142b7c8c2701c0ce04c3f659d74688c9e2f3240a399cb237ba5bbb

SHA512
9c83a56ee502df790852592f02647278c76b9ab01c9a61e988953e8e793fb12e1cd9e11cdf41811487b50c0f50ddc56743f72ad4dd327930666ec3e6871d10a0

Download Submit
\Users\Admin\AppData\Local\Temp\hrl1B8D.tmp

Filesize
34KB

MD5
7292ea7794b85d51295766e8319dc94a

SHA1
0981a15de9697f38118cde4cb8c183605e207424

SHA256
fedd7f636f7f2430a355212328b1dfcb41c0823059505061dee36a9c554996b0

SHA512
6b9ccae2dff2b0f0bd948abbd92cc562747f4793bfa02669ac711467848518218d32c0fc0d12c2d9fc770e991ad6c85d7e8eeeab8243b82a79c9c03aabee5037

Download Submit
memory/916-55-0x0000000076871000-0x0000000076873000-memory.dmp

Filesize
8KB

Download
memory/916-62-0x00000000001A0000-0x00000000001B4000-memory.dmp

Filesize
80KB

Download
memory/916-61-0x00000000001A0000-0x00000000001B4000-memory.dmp

Filesize
80KB

Download
memory/1904-60-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download