Analysis
-
max time kernel
140s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
07-04-2024 19:57
Static task
static1
Behavioral task
behavioral1
Sample
33b85c107eaa0b827d8d86ecc1634a4638243e2ee9817746517e30fcd8a6be81.dll
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
33b85c107eaa0b827d8d86ecc1634a4638243e2ee9817746517e30fcd8a6be81.dll
Resource
win10v2004-20240226-en
General
-
Target
33b85c107eaa0b827d8d86ecc1634a4638243e2ee9817746517e30fcd8a6be81.dll
-
Size
171KB
-
MD5
430465c4ab9d7ad100dea53703ecfb93
-
SHA1
c48dabd4dcf30e371f264d74d6c9edd512ec4603
-
SHA256
33b85c107eaa0b827d8d86ecc1634a4638243e2ee9817746517e30fcd8a6be81
-
SHA512
f5bea2af23bb3b1eed0a6493443101afadc8b1a30d24d31afd2b2f8bd8bcd052433528c7539610acc127e07fd1b917b371700b2676f6d569c00eb989ca885eb5
-
SSDEEP
3072:sCx969mf1oCBEyUmY8Hb6smCDpDjL0dbKKHwYLWekmRaMBQoVqy8j2GEctsMYDCh:sCzn9BVUmFH5hpDiqY/LHVl8yhxJgV
Malware Config
Signatures
-
Detects executables containing base64 encoded User Agent 6 IoCs
Processes:
resource yara_rule behavioral1/memory/2336-4-0x0000000010000000-0x000000001004E000-memory.dmp INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent behavioral1/memory/2336-3-0x0000000010000000-0x000000001004E000-memory.dmp INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent behavioral1/memory/2336-6-0x0000000010000000-0x000000001004E000-memory.dmp INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent behavioral1/memory/2336-7-0x0000000010000000-0x000000001004E000-memory.dmp INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent behavioral1/memory/2336-11-0x0000000010000000-0x000000001004E000-memory.dmp INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent behavioral1/memory/2336-12-0x0000000010000000-0x000000001004E000-memory.dmp INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent -
Blocklisted process makes network request 11 IoCs
Processes:
rundll32.exeflow pid process 3 2336 rundll32.exe 5 2336 rundll32.exe 6 2336 rundll32.exe 7 2336 rundll32.exe 8 2336 rundll32.exe 9 2336 rundll32.exe 12 2336 rundll32.exe 13 2336 rundll32.exe 14 2336 rundll32.exe 16 2336 rundll32.exe 17 2336 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\gc = "C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\33b85c107eaa0b827d8d86ecc1634a4638243e2ee9817746517e30fcd8a6be81.dll\",GetColor" rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\h: rundll32.exe File opened (read-only) \??\j: rundll32.exe File opened (read-only) \??\n: rundll32.exe File opened (read-only) \??\q: rundll32.exe File opened (read-only) \??\s: rundll32.exe File opened (read-only) \??\u: rundll32.exe File opened (read-only) \??\x: rundll32.exe File opened (read-only) \??\b: rundll32.exe File opened (read-only) \??\i: rundll32.exe File opened (read-only) \??\k: rundll32.exe File opened (read-only) \??\l: rundll32.exe File opened (read-only) \??\p: rundll32.exe File opened (read-only) \??\r: rundll32.exe File opened (read-only) \??\t: rundll32.exe File opened (read-only) \??\w: rundll32.exe File opened (read-only) \??\g: rundll32.exe File opened (read-only) \??\m: rundll32.exe File opened (read-only) \??\a: rundll32.exe File opened (read-only) \??\e: rundll32.exe File opened (read-only) \??\o: rundll32.exe File opened (read-only) \??\v: rundll32.exe File opened (read-only) \??\y: rundll32.exe File opened (read-only) \??\z: rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
rundll32.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 rundll32.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 2336 rundll32.exe 2336 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 2336 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 1512 wrote to memory of 2336 1512 rundll32.exe rundll32.exe PID 1512 wrote to memory of 2336 1512 rundll32.exe rundll32.exe PID 1512 wrote to memory of 2336 1512 rundll32.exe rundll32.exe PID 1512 wrote to memory of 2336 1512 rundll32.exe rundll32.exe PID 1512 wrote to memory of 2336 1512 rundll32.exe rundll32.exe PID 1512 wrote to memory of 2336 1512 rundll32.exe rundll32.exe PID 1512 wrote to memory of 2336 1512 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\33b85c107eaa0b827d8d86ecc1634a4638243e2ee9817746517e30fcd8a6be81.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\33b85c107eaa0b827d8d86ecc1634a4638243e2ee9817746517e30fcd8a6be81.dll,#12⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2336
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1