Analysis
-
max time kernel
61s -
max time network
11s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
03-12-2020 05:44
Behavioral task
behavioral1
Sample
sample.dll
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
sample.dll
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
sample.dll
Score
5/10
Malware Config
Signatures
-
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system32\rundll32.exe: $TASK rundll32.exe File opened for modification C:\Windows\system32\rundll32.exe: $FILE rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1764 taskeng.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1764 wrote to memory of 1100 1764 taskeng.exe 30 PID 1764 wrote to memory of 1100 1764 taskeng.exe 30 PID 1764 wrote to memory of 1100 1764 taskeng.exe 30
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\sample.dll,#11⤵
- Drops file in System32 directory
PID:1408
-
C:\Windows\system32\taskeng.exetaskeng.exe {E5A4CBA4-C098-4744-A706-3D4BEE5A9B70} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe -u2⤵PID:1100
-