Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16-09-2024 12:08
Behavioral task
behavioral1
Sample
TrojanDropper.Win32.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
TrojanDropper.Win32.dll
Resource
win10v2004-20240802-en
General
-
Target
TrojanDropper.Win32.dll
-
Size
80KB
-
MD5
da876b1ccfc32e48447fb2bcd97d7100
-
SHA1
caa2d84d33c8701408dbb04aa50929ec0cb39982
-
SHA256
881fa82e7cd7a08691f6d8795c37e3edf2d9c134ee1dc01d3251775a0f04c503
-
SHA512
8236977145e3419ede6c56d53be466376064ab94a888ad41309884080922892475bc13f3b1767f421241d89716cc2f7a853e3df27cc76dd7b838f8e53077b646
-
SSDEEP
1536:5POOhfbOjovgdVydUgoNrwBZXGDaZ1QIxrfItMgR7ZaO+fGxHZPEZ9lpy:5dbwovEVyqgoZmZXWfIdQdRaefPslE
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 4 2764 rundll32.exe 8 2764 rundll32.exe 9 2764 rundll32.exe -
resource yara_rule behavioral1/memory/2764-1-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2764-2-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2764-0-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2764-5-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2764-6-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2764-7-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2764-14-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2764-15-0x0000000010000000-0x0000000010033000-memory.dmp upx -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\e: rundll32.exe -
pid Process 552 arp.exe 2840 arp.exe 2092 arp.exe 2696 arp.exe 2820 arp.exe 2800 arp.exe 2580 arp.exe 2632 arp.exe 1632 arp.exe -
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2764 rundll32.exe 2764 rundll32.exe 2764 rundll32.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 476 Process not Found 476 Process not Found -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2764 rundll32.exe -
Suspicious use of WriteProcessMemory 47 IoCs
description pid Process procid_target PID 2692 wrote to memory of 2764 2692 rundll32.exe 31 PID 2692 wrote to memory of 2764 2692 rundll32.exe 31 PID 2692 wrote to memory of 2764 2692 rundll32.exe 31 PID 2692 wrote to memory of 2764 2692 rundll32.exe 31 PID 2692 wrote to memory of 2764 2692 rundll32.exe 31 PID 2692 wrote to memory of 2764 2692 rundll32.exe 31 PID 2692 wrote to memory of 2764 2692 rundll32.exe 31 PID 2764 wrote to memory of 2696 2764 rundll32.exe 32 PID 2764 wrote to memory of 2696 2764 rundll32.exe 32 PID 2764 wrote to memory of 2696 2764 rundll32.exe 32 PID 2764 wrote to memory of 2696 2764 rundll32.exe 32 PID 2764 wrote to memory of 552 2764 rundll32.exe 34 PID 2764 wrote to memory of 552 2764 rundll32.exe 34 PID 2764 wrote to memory of 552 2764 rundll32.exe 34 PID 2764 wrote to memory of 552 2764 rundll32.exe 34 PID 2764 wrote to memory of 2820 2764 rundll32.exe 35 PID 2764 wrote to memory of 2820 2764 rundll32.exe 35 PID 2764 wrote to memory of 2820 2764 rundll32.exe 35 PID 2764 wrote to memory of 2820 2764 rundll32.exe 35 PID 2764 wrote to memory of 2800 2764 rundll32.exe 36 PID 2764 wrote to memory of 2800 2764 rundll32.exe 36 PID 2764 wrote to memory of 2800 2764 rundll32.exe 36 PID 2764 wrote to memory of 2800 2764 rundll32.exe 36 PID 2764 wrote to memory of 2840 2764 rundll32.exe 38 PID 2764 wrote to memory of 2840 2764 rundll32.exe 38 PID 2764 wrote to memory of 2840 2764 rundll32.exe 38 PID 2764 wrote to memory of 2840 2764 rundll32.exe 38 PID 2764 wrote to memory of 2580 2764 rundll32.exe 39 PID 2764 wrote to memory of 2580 2764 rundll32.exe 39 PID 2764 wrote to memory of 2580 2764 rundll32.exe 39 PID 2764 wrote to memory of 2580 2764 rundll32.exe 39 PID 2764 wrote to memory of 2632 2764 rundll32.exe 40 PID 2764 wrote to memory of 2632 2764 rundll32.exe 40 PID 2764 wrote to memory of 2632 2764 rundll32.exe 40 PID 2764 wrote to memory of 2632 2764 rundll32.exe 40 PID 2764 wrote to memory of 2092 2764 rundll32.exe 42 PID 2764 wrote to memory of 2092 2764 rundll32.exe 42 PID 2764 wrote to memory of 2092 2764 rundll32.exe 42 PID 2764 wrote to memory of 2092 2764 rundll32.exe 42 PID 2764 wrote to memory of 1632 2764 rundll32.exe 44 PID 2764 wrote to memory of 1632 2764 rundll32.exe 44 PID 2764 wrote to memory of 1632 2764 rundll32.exe 44 PID 2764 wrote to memory of 1632 2764 rundll32.exe 44 PID 2764 wrote to memory of 2968 2764 rundll32.exe 50 PID 2764 wrote to memory of 2968 2764 rundll32.exe 50 PID 2764 wrote to memory of 2968 2764 rundll32.exe 50 PID 2764 wrote to memory of 2968 2764 rundll32.exe 50
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\TrojanDropper.Win32.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\TrojanDropper.Win32.dll,#12⤵
- Blocklisted process makes network request
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\arp.exearp -a3⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:2696
-
-
C:\Windows\SysWOW64\arp.exearp -s 10.127.0.1 fa-72-db-1f-a1-213⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:552
-
-
C:\Windows\SysWOW64\arp.exearp -s 10.127.255.255 6d-b0-e8-7d-15-6f3⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:2820
-
-
C:\Windows\SysWOW64\arp.exearp -s 37.27.61.180 7b-87-0d-d8-8a-693⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:2800
-
-
C:\Windows\SysWOW64\arp.exearp -s 224.0.0.22 11-f8-4a-d8-8e-633⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:2840
-
-
C:\Windows\SysWOW64\arp.exearp -s 224.0.0.251 ea-57-8b-49-2a-cf3⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:2580
-
-
C:\Windows\SysWOW64\arp.exearp -s 224.0.0.252 34-47-27-18-60-3b3⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:2632
-
-
C:\Windows\SysWOW64\arp.exearp -s 239.255.255.250 8a-db-fd-1f-c0-f63⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:2092
-
-
C:\Windows\SysWOW64\arp.exearp -s 255.255.255.255 30-b9-45-b7-5d-953⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:1632
-
-
C:\Windows\SysWOW64\arp.exearp -d3⤵
- System Location Discovery: System Language Discovery
PID:2968
-
-