Analysis
-
max time kernel
61s -
max time network
8s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
03-12-2020 17:00
Behavioral task
behavioral1
Sample
sample.dll
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
sample.dll
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
sample.dll
Score
5/10
Malware Config
Signatures
-
Drops file in System32 directory 2 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Windows\system32\rundll32.exe: $TASK rundll32.exe File opened for modification C:\Windows\system32\rundll32.exe: $FILE rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskeng.exedescription pid process Token: SeIncBasePriorityPrivilege 1720 taskeng.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
taskeng.exedescription pid process target process PID 1720 wrote to memory of 1612 1720 taskeng.exe rundll32.exe PID 1720 wrote to memory of 1612 1720 taskeng.exe rundll32.exe PID 1720 wrote to memory of 1612 1720 taskeng.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\sample.dll,#11⤵
- Drops file in System32 directory
PID:1640
-
C:\Windows\system32\taskeng.exetaskeng.exe {07702D4A-B26B-429A-A204-452E16B9A8ED} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe -u2⤵PID:1612
-