a0ab86e9efe2856e3f117c10199eec4bbe0ab86dcad8c5cbb0f4d5164d0b9a14

Analysis

max time kernel
9s
max time network
111s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
07/12/2022, 00:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a0ab86e9efe2856e3f117c10199eec4bbe0ab86dcad8c5cbb0f4d5164d0b9a14.dll
Size

101KB
MD5

cd7025a2c42410cdd034eca2e5b191e0
SHA1

13ce5d3daab90708983eb66bc0ece5fcc3e4eeba
SHA256

a0ab86e9efe2856e3f117c10199eec4bbe0ab86dcad8c5cbb0f4d5164d0b9a14
SHA512

3192519e964220c0413d596e074da3abaaeae5d9495b7623410410046637318a2f49525a75f16fcfec29a4359329d212a4cbe1fa4f1fc645adadddb0c79476e5
SSDEEP

3072:bGi1nGeyrKDXz3XAawc6HaWYK3f/NAo4:CiqKTw190KvVAo

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 3 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	rundll32.exe
File opened (read-only)	\??\A:	rundll32.exe
File opened (read-only)	\??\S:	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	320	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 872 wrote to memory of 320	872	rundll32.exe	28
PID 872 wrote to memory of 320	872	rundll32.exe	28
PID 872 wrote to memory of 320	872	rundll32.exe	28
PID 872 wrote to memory of 320	872	rundll32.exe	28
PID 872 wrote to memory of 320	872	rundll32.exe	28
PID 872 wrote to memory of 320	872	rundll32.exe	28
PID 872 wrote to memory of 320	872	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a0ab86e9efe2856e3f117c10199eec4bbe0ab86dcad8c5cbb0f4d5164d0b9a14.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:872
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\a0ab86e9efe2856e3f117c10199eec4bbe0ab86dcad8c5cbb0f4d5164d0b9a14.dll,#1
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  PID:320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/320-55-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

Filesize
8KB

Download
memory/320-59-0x0000000000230000-0x00000000002A2000-memory.dmp

Filesize
456KB

Download
memory/320-61-0x0000000000230000-0x00000000002A2000-memory.dmp

Filesize
456KB

Download