57e904826d3bf91a0f2c4f28043e061b5a6c4095ca1fce533971e0259e568a9e | Triage

Resubmissions

06-08-2021 11:08

210806-4ctldbqb4e 10

06-08-2021 10:57

210806-873ec2x5qx 10

Analysis

max time kernel
62s
max time network
45s
platform
windows7_x64
resource
win7v20210408
submitted
06-08-2021 10:57

Sharing

Report Analysis Logs

General

Target

3b375dcda1f6019d986de1f7ae3458657e623c4f401c121e660add55d36a9e8c.dll
Size

340KB
MD5

a77e5deeb382adb108ee42d9b1cef724
SHA1

c41ed956c3036072368aee7cee61fa702b6c9ab7
SHA256

3b375dcda1f6019d986de1f7ae3458657e623c4f401c121e660add55d36a9e8c
SHA512

ca2581b6e1442d0c12f94447700fc309bd4e94469f38659d714a032d3ea3bc2f8ca1698c22f05fa5c4ab2c120e53c37b265ca85e3f4dc03c0805fbfde6e695c9

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\rundll32.exe: $TASK	rundll32.exe
File opened for modification	C:\Windows\system32\rundll32.exe: $FILE	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1232	taskeng.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1232 wrote to memory of 2040	1232	taskeng.exe	30
PID 1232 wrote to memory of 2040	1232	taskeng.exe	30
PID 1232 wrote to memory of 2040	1232	taskeng.exe	30

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3b375dcda1f6019d986de1f7ae3458657e623c4f401c121e660add55d36a9e8c.dll,#1
1⤵
- Drops file in System32 directory
PID:1644

C:\Windows\system32\taskeng.exe
taskeng.exe {925E6B37-8F7D-4CEE-9CE8-4EE95AADDCA8} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Windows\system32\rundll32.exe
  C:\Windows\system32\rundll32.exe -u
  2⤵
  PID:2040

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads