Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-04-2024 19:57
Static task
static1
Behavioral task
behavioral1
Sample
33b85c107eaa0b827d8d86ecc1634a4638243e2ee9817746517e30fcd8a6be81.dll
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
33b85c107eaa0b827d8d86ecc1634a4638243e2ee9817746517e30fcd8a6be81.dll
Resource
win10v2004-20240226-en
General
-
Target
33b85c107eaa0b827d8d86ecc1634a4638243e2ee9817746517e30fcd8a6be81.dll
-
Size
171KB
-
MD5
430465c4ab9d7ad100dea53703ecfb93
-
SHA1
c48dabd4dcf30e371f264d74d6c9edd512ec4603
-
SHA256
33b85c107eaa0b827d8d86ecc1634a4638243e2ee9817746517e30fcd8a6be81
-
SHA512
f5bea2af23bb3b1eed0a6493443101afadc8b1a30d24d31afd2b2f8bd8bcd052433528c7539610acc127e07fd1b917b371700b2676f6d569c00eb989ca885eb5
-
SSDEEP
3072:sCx969mf1oCBEyUmY8Hb6smCDpDjL0dbKKHwYLWekmRaMBQoVqy8j2GEctsMYDCh:sCzn9BVUmFH5hpDiqY/LHVl8yhxJgV
Malware Config
Signatures
-
Detects executables containing base64 encoded User Agent 5 IoCs
Processes:
resource yara_rule behavioral2/memory/3052-1-0x0000000010000000-0x000000001004E000-memory.dmp INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent behavioral2/memory/3052-3-0x0000000010000000-0x000000001004E000-memory.dmp INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent behavioral2/memory/3052-4-0x0000000010000000-0x000000001004E000-memory.dmp INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent behavioral2/memory/3052-6-0x0000000010000000-0x000000001004E000-memory.dmp INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent behavioral2/memory/3052-8-0x0000000010000000-0x000000001004E000-memory.dmp INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent -
Blocklisted process makes network request 10 IoCs
Processes:
rundll32.exeflow pid process 15 3052 rundll32.exe 20 3052 rundll32.exe 27 3052 rundll32.exe 28 3052 rundll32.exe 29 3052 rundll32.exe 43 3052 rundll32.exe 44 3052 rundll32.exe 48 3052 rundll32.exe 55 3052 rundll32.exe 57 3052 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gc = "C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\33b85c107eaa0b827d8d86ecc1634a4638243e2ee9817746517e30fcd8a6be81.dll\",GetColor" rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\u: rundll32.exe File opened (read-only) \??\x: rundll32.exe File opened (read-only) \??\z: rundll32.exe File opened (read-only) \??\h: rundll32.exe File opened (read-only) \??\i: rundll32.exe File opened (read-only) \??\o: rundll32.exe File opened (read-only) \??\q: rundll32.exe File opened (read-only) \??\l: rundll32.exe File opened (read-only) \??\v: rundll32.exe File opened (read-only) \??\b: rundll32.exe File opened (read-only) \??\g: rundll32.exe File opened (read-only) \??\j: rundll32.exe File opened (read-only) \??\k: rundll32.exe File opened (read-only) \??\m: rundll32.exe File opened (read-only) \??\n: rundll32.exe File opened (read-only) \??\p: rundll32.exe File opened (read-only) \??\r: rundll32.exe File opened (read-only) \??\w: rundll32.exe File opened (read-only) \??\y: rundll32.exe File opened (read-only) \??\a: rundll32.exe File opened (read-only) \??\e: rundll32.exe File opened (read-only) \??\s: rundll32.exe File opened (read-only) \??\t: rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
rundll32.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 rundll32.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepid process 3052 rundll32.exe 3052 rundll32.exe 3052 rundll32.exe 3052 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 3052 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3668 wrote to memory of 3052 3668 rundll32.exe rundll32.exe PID 3668 wrote to memory of 3052 3668 rundll32.exe rundll32.exe PID 3668 wrote to memory of 3052 3668 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\33b85c107eaa0b827d8d86ecc1634a4638243e2ee9817746517e30fcd8a6be81.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\33b85c107eaa0b827d8d86ecc1634a4638243e2ee9817746517e30fcd8a6be81.dll,#12⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3052
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1