3eeb9eeb9449abfb063703ea53f5b5921ae6f3ce542bb5cf187e8133b79e864c

General

Target

3eeb9eeb9449abfb063703ea53f5b5921ae6f3ce542bb5cf187e8133b79e864c.dll
Size

103KB
MD5

59b81f67645b876427e5f25ebc12a2c0
SHA1

c39741521c3303b0ebc3b704734f223c008781cc
SHA256

3eeb9eeb9449abfb063703ea53f5b5921ae6f3ce542bb5cf187e8133b79e864c
SHA512

6f84c91ae7886680c185ee1b117ae5ce1385d156b97a188097e2a8fccc62bb47e2741a8aea420d9208620e983416a36dec64237aaf1c95378b035a076aceee30
SSDEEP

1536:wmD6BS7LL1edo9yHSmxt4B4LCXivshX5tlL:wVBon1eWyHS2uBKvOJ

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
684	hrlAC76.tmp

Loads dropped DLL 6 IoCs

pid	Process
672	rundll32.exe
672	rundll32.exe
1268	WerFault.exe
1268	WerFault.exe
1268	WerFault.exe
1268	WerFault.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	rundll32.exe
File opened (read-only)	\??\P:	rundll32.exe
File opened (read-only)	\??\R:	rundll32.exe
File opened (read-only)	\??\T:	rundll32.exe
File opened (read-only)	\??\W:	rundll32.exe
File opened (read-only)	\??\I:	rundll32.exe
File opened (read-only)	\??\J:	rundll32.exe
File opened (read-only)	\??\Y:	rundll32.exe
File opened (read-only)	\??\G:	rundll32.exe
File opened (read-only)	\??\K:	rundll32.exe
File opened (read-only)	\??\M:	rundll32.exe
File opened (read-only)	\??\Q:	rundll32.exe
File opened (read-only)	\??\S:	rundll32.exe
File opened (read-only)	\??\V:	rundll32.exe
File opened (read-only)	\??\X:	rundll32.exe
File opened (read-only)	\??\Z:	rundll32.exe
File opened (read-only)	\??\E:	rundll32.exe
File opened (read-only)	\??\F:	rundll32.exe
File opened (read-only)	\??\H:	rundll32.exe
File opened (read-only)	\??\L:	rundll32.exe
File opened (read-only)	\??\O:	rundll32.exe
File opened (read-only)	\??\U:	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1268	684	WerFault.exe	29

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 944 wrote to memory of 672	944	rundll32.exe	28
PID 944 wrote to memory of 672	944	rundll32.exe	28
PID 944 wrote to memory of 672	944	rundll32.exe	28
PID 944 wrote to memory of 672	944	rundll32.exe	28
PID 944 wrote to memory of 672	944	rundll32.exe	28
PID 944 wrote to memory of 672	944	rundll32.exe	28
PID 944 wrote to memory of 672	944	rundll32.exe	28
PID 672 wrote to memory of 684	672	rundll32.exe	29
PID 672 wrote to memory of 684	672	rundll32.exe	29
PID 672 wrote to memory of 684	672	rundll32.exe	29
PID 672 wrote to memory of 684	672	rundll32.exe	29
PID 684 wrote to memory of 1268	684	hrlAC76.tmp	30
PID 684 wrote to memory of 1268	684	hrlAC76.tmp	30
PID 684 wrote to memory of 1268	684	hrlAC76.tmp	30
PID 684 wrote to memory of 1268	684	hrlAC76.tmp	30

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3eeb9eeb9449abfb063703ea53f5b5921ae6f3ce542bb5cf187e8133b79e864c.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:944
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\3eeb9eeb9449abfb063703ea53f5b5921ae6f3ce542bb5cf187e8133b79e864c.dll,#1
  2⤵
  - Loads dropped DLL
  - Enumerates connected drives
  - Suspicious use of WriteProcessMemory
  PID:672
- - C:\Users\Admin\AppData\Local\Temp\hrlAC76.tmp
    C:\Users\Admin\AppData\Local\Temp\hrlAC76.tmp
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:684
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 684 -s 112
      4⤵
      Loads dropped DLL
      Program crash
      PID:1268

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hrlAC76.tmp

Filesize
95KB

MD5
83109cdd79db555786a11e0c503a5412

SHA1
3ee0cca5c8e0d993722071cb6a8e3f1c38b60831

SHA256
393f72306c60d0de25c5557968d09e46e78db619d9edfa4d81129101a4fb3368

SHA512
3fee1b9921faaafe3a9fe22defaedd84a40027140470dbf8f3306a0b0080282689060a0e32829bac6a7063cba5d23453609ccacb259ec01b98d4d6a28648fe31

Download Submit
\Users\Admin\AppData\Local\Temp\hrlAC76.tmp

Filesize
95KB

MD5
83109cdd79db555786a11e0c503a5412

SHA1
3ee0cca5c8e0d993722071cb6a8e3f1c38b60831

SHA256
393f72306c60d0de25c5557968d09e46e78db619d9edfa4d81129101a4fb3368

SHA512
3fee1b9921faaafe3a9fe22defaedd84a40027140470dbf8f3306a0b0080282689060a0e32829bac6a7063cba5d23453609ccacb259ec01b98d4d6a28648fe31

Download Submit
\Users\Admin\AppData\Local\Temp\hrlAC76.tmp

Filesize
95KB

MD5
83109cdd79db555786a11e0c503a5412

SHA1
3ee0cca5c8e0d993722071cb6a8e3f1c38b60831

SHA256
393f72306c60d0de25c5557968d09e46e78db619d9edfa4d81129101a4fb3368

SHA512
3fee1b9921faaafe3a9fe22defaedd84a40027140470dbf8f3306a0b0080282689060a0e32829bac6a7063cba5d23453609ccacb259ec01b98d4d6a28648fe31

Download Submit
\Users\Admin\AppData\Local\Temp\hrlAC76.tmp

Filesize
95KB

MD5
83109cdd79db555786a11e0c503a5412

SHA1
3ee0cca5c8e0d993722071cb6a8e3f1c38b60831

SHA256
393f72306c60d0de25c5557968d09e46e78db619d9edfa4d81129101a4fb3368

SHA512
3fee1b9921faaafe3a9fe22defaedd84a40027140470dbf8f3306a0b0080282689060a0e32829bac6a7063cba5d23453609ccacb259ec01b98d4d6a28648fe31

Download Submit
\Users\Admin\AppData\Local\Temp\hrlAC76.tmp

Filesize
95KB

MD5
83109cdd79db555786a11e0c503a5412

SHA1
3ee0cca5c8e0d993722071cb6a8e3f1c38b60831

SHA256
393f72306c60d0de25c5557968d09e46e78db619d9edfa4d81129101a4fb3368

SHA512
3fee1b9921faaafe3a9fe22defaedd84a40027140470dbf8f3306a0b0080282689060a0e32829bac6a7063cba5d23453609ccacb259ec01b98d4d6a28648fe31

Download Submit
\Users\Admin\AppData\Local\Temp\hrlAC76.tmp

Filesize
95KB

MD5
83109cdd79db555786a11e0c503a5412

SHA1
3ee0cca5c8e0d993722071cb6a8e3f1c38b60831

SHA256
393f72306c60d0de25c5557968d09e46e78db619d9edfa4d81129101a4fb3368

SHA512
3fee1b9921faaafe3a9fe22defaedd84a40027140470dbf8f3306a0b0080282689060a0e32829bac6a7063cba5d23453609ccacb259ec01b98d4d6a28648fe31

Download Submit
\Users\Admin\AppData\Local\Temp\hrlAC76.tmp

Filesize
95KB

MD5
83109cdd79db555786a11e0c503a5412

SHA1
3ee0cca5c8e0d993722071cb6a8e3f1c38b60831

SHA256
393f72306c60d0de25c5557968d09e46e78db619d9edfa4d81129101a4fb3368

SHA512
3fee1b9921faaafe3a9fe22defaedd84a40027140470dbf8f3306a0b0080282689060a0e32829bac6a7063cba5d23453609ccacb259ec01b98d4d6a28648fe31

Download Submit
memory/672-64-0x0000000000160000-0x000000000017C000-memory.dmp

Filesize
112KB

Download
memory/672-55-0x00000000761E1000-0x00000000761E3000-memory.dmp

Filesize
8KB

Download
memory/684-65-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing