Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04/11/2024, 03:46
Static task
static1
Behavioral task
behavioral1
Sample
ef53e8071a456732eb373d3e1e6d599008681bde0a3cb05fdf862c589a2723de.dll
Resource
win7-20240903-en
General
-
Target
ef53e8071a456732eb373d3e1e6d599008681bde0a3cb05fdf862c589a2723de.dll
-
Size
2.3MB
-
MD5
3f088a81e399611b4516e97f08f64758
-
SHA1
66126112f4708787e2ada92aeb1f8efbd3345e32
-
SHA256
ef53e8071a456732eb373d3e1e6d599008681bde0a3cb05fdf862c589a2723de
-
SHA512
3a805702e3cd11fffc9cea5184c21fd530f171156ea55fe1da4a20d0231bdf0ca38f2ccecd9915b1d20bf241168cc3114f0d64b381e6f3931b13d88a70e5eaf9
-
SSDEEP
49152:ubW3ttgCOH9BRCm5/AIu8aR+sqnEqr8K+lfXyGmxRpp1CPwDvt3uFlDCTa:uC3ttJOHTRCGAIu8aR+s28KO/yGmxh17
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" rundll32.exe -
Blocklisted process makes network request 2 IoCs
flow pid Process 2 2040 rundll32.exe 14 2040 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\Z: rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2040 rundll32.exe 2040 rundll32.exe 2040 rundll32.exe 2040 rundll32.exe 2040 rundll32.exe 2040 rundll32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2040 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3552 wrote to memory of 2040 3552 rundll32.exe 86 PID 3552 wrote to memory of 2040 3552 rundll32.exe 86 PID 3552 wrote to memory of 2040 3552 rundll32.exe 86 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ef53e8071a456732eb373d3e1e6d599008681bde0a3cb05fdf862c589a2723de.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3552 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ef53e8071a456732eb373d3e1e6d599008681bde0a3cb05fdf862c589a2723de.dll,#12⤵
- UAC bypass
- Blocklisted process makes network request
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2040
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2