33fc1c70444bfb647fa6ed6059e69bd0d19236a9f7563fab62c7200c6592b035 | Triage

Resubmissions

20-07-2021 12:57

210720-jsvvxfac36 10

01-03-2021 08:14

210301-cj96535m5s 10

Analysis

max time kernel
122s
max time network
122s
platform
windows7_x64
resource
win7v20201028
submitted
01-03-2021 08:14

Sharing

Report Analysis Logs

General

Target

store.dll
Size

299KB
MD5

a26bf5188c6d91da12fc91f9e3d5dc66
SHA1

40109ee7f74623e6a1e99fe3dd5008c08814c5c0
SHA256

efa50d60724d1c634b082cef987fc261dc217b22dd3b762c9568577440a68e7d
SHA512

a6e9e74af8262a2b19b2165c6f995f691ea8439373aeace0041592afe51439a74272b473f1f676e1dc099001144c92d4bad251cc1bdd881752e0666dbad49575

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\rundll32.exe: $FILE	rundll32.exe
File opened for modification	C:\Windows\system32\rundll32.exe: $TASK	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1764	taskeng.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 744	1764	taskeng.exe	30
PID 1764 wrote to memory of 744	1764	taskeng.exe	30
PID 1764 wrote to memory of 744	1764	taskeng.exe	30

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\store.dll,#1
1⤵
- Drops file in System32 directory
PID:1864

C:\Windows\system32\taskeng.exe
taskeng.exe {0A12E72A-84B2-46A3-BD08-3266829EFDB1} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Windows\system32\rundll32.exe
  C:\Windows\system32\rundll32.exe -u
  2⤵
  PID:744

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads