0e8e168c9bd7bf0abb03cb388e069e0050b77b2de95ca217c12e174980538b3d

Analysis

max time kernel
142s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
29/10/2023, 23:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eraz0r.dll
Size

12.6MB
MD5

1a460374f370ef58c3b769d56f38b50b
SHA1

0dcd6b1b7db59d26bbab1ccf6930b7654477ebbe
SHA256

0e8e168c9bd7bf0abb03cb388e069e0050b77b2de95ca217c12e174980538b3d
SHA512

e2a1c37444ea8cc7c7cd20368250aee42c18160b4016d7bd4b380e41f36b3d58efa9609bf5b151b43728b6f7fad3ff65700f5b798286873c941c6067dd854961
SSDEEP

98304:CcDTwXlUKj57xHAe/JyS1DOlRomRQvPMaQQBtVD/EmYESD8G+JKBdK9/TToGFXob:CblUWNOlRomRQvPMa2+JB2

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
4	4644	rundll32.exe
28	4644	rundll32.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	rundll32.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4644	rundll32.exe
4644	rundll32.exe
4644	rundll32.exe
4644	rundll32.exe
4644	rundll32.exe
4644	rundll32.exe
4644	rundll32.exe
4644	rundll32.exe
4644	rundll32.exe
4644	rundll32.exe
4644	rundll32.exe
4644	rundll32.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4644 wrote to memory of 2368	4644	rundll32.exe	91
PID 4644 wrote to memory of 2368	4644	rundll32.exe	91
PID 2368 wrote to memory of 4496	2368	cmd.exe	93
PID 2368 wrote to memory of 4496	2368	cmd.exe	93
PID 4644 wrote to memory of 4496	4644	rundll32.exe	93

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\eraz0r.dll,#1
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4644
- C:\Windows\system32\cmd.exe
  "cmd" /c "start notepad.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\system32\notepad.exe
    notepad.exe
    3⤵
    PID:4496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4496-0-0x0000023822150000-0x0000023822151000-memory.dmp

Filesize
4KB

Download