Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04/11/2024, 03:46
Static task
static1
Behavioral task
behavioral1
Sample
ef53e8071a456732eb373d3e1e6d599008681bde0a3cb05fdf862c589a2723de.dll
Resource
win7-20240903-en
General
-
Target
ef53e8071a456732eb373d3e1e6d599008681bde0a3cb05fdf862c589a2723de.dll
-
Size
2.3MB
-
MD5
3f088a81e399611b4516e97f08f64758
-
SHA1
66126112f4708787e2ada92aeb1f8efbd3345e32
-
SHA256
ef53e8071a456732eb373d3e1e6d599008681bde0a3cb05fdf862c589a2723de
-
SHA512
3a805702e3cd11fffc9cea5184c21fd530f171156ea55fe1da4a20d0231bdf0ca38f2ccecd9915b1d20bf241168cc3114f0d64b381e6f3931b13d88a70e5eaf9
-
SSDEEP
49152:ubW3ttgCOH9BRCm5/AIu8aR+sqnEqr8K+lfXyGmxRpp1CPwDvt3uFlDCTa:uC3ttJOHTRCGAIu8aR+s28KO/yGmxh17
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" rundll32.exe -
Blocklisted process makes network request 2 IoCs
flow pid Process 1 3064 rundll32.exe 3 3064 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\T: rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 3064 rundll32.exe 3064 rundll32.exe 3064 rundll32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3064 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2672 wrote to memory of 3064 2672 rundll32.exe 30 PID 2672 wrote to memory of 3064 2672 rundll32.exe 30 PID 2672 wrote to memory of 3064 2672 rundll32.exe 30 PID 2672 wrote to memory of 3064 2672 rundll32.exe 30 PID 2672 wrote to memory of 3064 2672 rundll32.exe 30 PID 2672 wrote to memory of 3064 2672 rundll32.exe 30 PID 2672 wrote to memory of 3064 2672 rundll32.exe 30 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ef53e8071a456732eb373d3e1e6d599008681bde0a3cb05fdf862c589a2723de.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ef53e8071a456732eb373d3e1e6d599008681bde0a3cb05fdf862c589a2723de.dll,#12⤵
- UAC bypass
- Blocklisted process makes network request
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:3064
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2