9d30faba964d269e873d001b4cdc77674b3e7da67d8a4666cb5b532d15b79a6f

Analysis

Target

22a0ceb74f566484220466e975d4fa835f4edf6279f9426f36498d8aa3337017.dll
Size

368KB
MD5

4bf3af70dcbddb2176b0bf611a8f945c
SHA1

59bbd8de9de9f891adb73b4c5711cfb7a3073fa5
SHA256

22a0ceb74f566484220466e975d4fa835f4edf6279f9426f36498d8aa3337017
SHA512

ff2f75d15d5bfffb2a5cae30e231d2fc1c33adc9fc4b771e1eb5587d4761ebdc2afff3618f218ffa7c020b11f264217916acb2c6114a5752c53dda13af89134f

Score

8^/10

Blocklisted process makes network request 38 IoCs

Processes:

msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 1164 set thread context of 3264 1164 rundll32.exe msiexec.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

msiexec.exe

description pid process

Token: SeSecurityPrivilege 3264 msiexec.exe
Token: SeSecurityPrivilege 3264 msiexec.exe

description	pid	process	target process
PID 1164 set thread context of 3264	1164	rundll32.exe	msiexec.exe

description	pid	process
Token: SeSecurityPrivilege	3264	msiexec.exe
Token: SeSecurityPrivilege	3264	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 740 wrote to memory of 1164	740	rundll32.exe	rundll32.exe
PID 740 wrote to memory of 1164	740	rundll32.exe	rundll32.exe
PID 740 wrote to memory of 1164	740	rundll32.exe	rundll32.exe
PID 1164 wrote to memory of 3264	1164	rundll32.exe	msiexec.exe
PID 1164 wrote to memory of 3264	1164	rundll32.exe	msiexec.exe
PID 1164 wrote to memory of 3264	1164	rundll32.exe	msiexec.exe
PID 1164 wrote to memory of 3264	1164	rundll32.exe	msiexec.exe
PID 1164 wrote to memory of 3264	1164	rundll32.exe	msiexec.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\22a0ceb74f566484220466e975d4fa835f4edf6279f9426f36498d8aa3337017.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:740
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\22a0ceb74f566484220466e975d4fa835f4edf6279f9426f36498d8aa3337017.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1164
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec.exe
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of AdjustPrivilegeToken
    PID:3264

memory/1164-2-0x0000000000000000-mapping.dmp

Download
memory/1164-3-0x0000000001000000-0x0000000001029000-memory.dmp

Filesize
164KB

Download
memory/1164-4-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/3264-5-0x0000000000000000-mapping.dmp

Download
memory/3264-6-0x0000000002140000-0x0000000002169000-memory.dmp

Filesize
164KB

Download