Analysis
-
max time kernel
90s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 21:07
Behavioral task
behavioral1
Sample
01d7e523f0474bd4e22f9cf3064d8cdb5fb46a20d7ae24e810ab8e0503cdceed.dll
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
01d7e523f0474bd4e22f9cf3064d8cdb5fb46a20d7ae24e810ab8e0503cdceed.dll
Resource
win10v2004-20220901-en
General
-
Target
01d7e523f0474bd4e22f9cf3064d8cdb5fb46a20d7ae24e810ab8e0503cdceed.dll
-
Size
129KB
-
MD5
1823ab374c366079437f41f98f485586
-
SHA1
f10c5c3e93565882334d3eb0bbfb5c3c7a94dbda
-
SHA256
01d7e523f0474bd4e22f9cf3064d8cdb5fb46a20d7ae24e810ab8e0503cdceed
-
SHA512
481066487e37cf47c2d8a996592e08e803fa53e7f1fb0715067cfb0ca6174aabdc26fa1525de194fd4933d5f5ca5dd17ec8dc9c6f492748343e361331a8276e4
-
SSDEEP
3072:GVDkUQpJjGA0L/ono47Xxwjgir33hoUYPnjU:GVanq1ronov36Pg
Malware Config
Signatures
-
Drops file in Drivers directory 4 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\drivers\ahnsvr.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\ntfsny.sys rundll32.exe File opened for modification C:\Windows\SysWOW64\drivers\ntfsny.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\ahnsvr.sys rundll32.exe -
Processes:
resource yara_rule behavioral2/memory/360-133-0x0000000010000000-0x0000000010036000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File created C:\Windows\SysWOW64\midisappe.dll rundll32.exe -
Drops file in Windows directory 4 IoCs
Processes:
rundll32.exedescription ioc process File created C:\Windows\tasks\ahnsvr.dat rundll32.exe File created C:\Windows\tasks\midisappe.dat rundll32.exe File opened for modification C:\Windows\tasks\midisappe.dat rundll32.exe File created C:\Windows\tasks\ntfsny.dat rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 360 rundll32.exe 360 rundll32.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 660 660 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 360 rundll32.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4640 wrote to memory of 360 4640 rundll32.exe rundll32.exe PID 4640 wrote to memory of 360 4640 rundll32.exe rundll32.exe PID 4640 wrote to memory of 360 4640 rundll32.exe rundll32.exe PID 360 wrote to memory of 3064 360 rundll32.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3064
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\01d7e523f0474bd4e22f9cf3064d8cdb5fb46a20d7ae24e810ab8e0503cdceed.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\01d7e523f0474bd4e22f9cf3064d8cdb5fb46a20d7ae24e810ab8e0503cdceed.dll,#13⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:360
-
-