Analysis
-
max time kernel
126s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
08-03-2023 01:55
Behavioral task
behavioral1
Sample
ed49b23df7defab3df933c778183b12c019ab253330090f214f4bb5c2f89bcbc.dll
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
ed49b23df7defab3df933c778183b12c019ab253330090f214f4bb5c2f89bcbc.dll
Resource
win10v2004-20230220-en
General
-
Target
ed49b23df7defab3df933c778183b12c019ab253330090f214f4bb5c2f89bcbc.dll
-
Size
164KB
-
MD5
f0c97dcb65a030a214f6dd33cf4a8566
-
SHA1
b23175fa1d3989baa2e3d8b5c7192554c24abf18
-
SHA256
ed49b23df7defab3df933c778183b12c019ab253330090f214f4bb5c2f89bcbc
-
SHA512
24d7963631784357c4615ef94cecda9caaf47bc33896d6c897da324d55bda70713da4957f82ead8764f82cf6af1b5d9c8d3ad015fe3354694e9c331abbb67485
-
SSDEEP
3072:AZPM0OGdUKV10OTed7/kBazzFbULOHOiPyH53ZV6:AZPMnGZVyO6F/M4qyPU53Z
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation rundll32.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\U: rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 4568 rundll32.exe 4568 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1080 wrote to memory of 4568 1080 rundll32.exe rundll32.exe PID 1080 wrote to memory of 4568 1080 rundll32.exe rundll32.exe PID 1080 wrote to memory of 4568 1080 rundll32.exe rundll32.exe PID 4568 wrote to memory of 528 4568 rundll32.exe cmd.exe PID 4568 wrote to memory of 528 4568 rundll32.exe cmd.exe PID 4568 wrote to memory of 528 4568 rundll32.exe cmd.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ed49b23df7defab3df933c778183b12c019ab253330090f214f4bb5c2f89bcbc.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ed49b23df7defab3df933c778183b12c019ab253330090f214f4bb5c2f89bcbc.dll,#12⤵
- Checks computer location settings
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵