Analysis
-
max time kernel
119s -
max time network
48s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
05-10-2021 12:34
Static task
static1
Behavioral task
behavioral1
Sample
c728e3a0d4a293e44314d663945354427848c220d05d5d87cdedd9995fee3dfe.dll
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
c728e3a0d4a293e44314d663945354427848c220d05d5d87cdedd9995fee3dfe.dll
Resource
win10-en-20210920
windows10_x64
0 signatures
0 seconds
General
-
Target
c728e3a0d4a293e44314d663945354427848c220d05d5d87cdedd9995fee3dfe.dll
-
Size
67KB
-
MD5
639bb7abbd9bc6a9c275d0bf9555b610
-
SHA1
e4831da0e8fe5f0a01cd42693e607bc611423c16
-
SHA256
c728e3a0d4a293e44314d663945354427848c220d05d5d87cdedd9995fee3dfe
-
SHA512
f01621fab7ba598b80d52675c20d0d4bb4749b91df3298ee1bd6d6d410eb54d091677f85a2d4673eb9dc3d8cff6f4a328735226de0f5a01bd314dbe6d9af92aa
Score
5/10
Malware Config
Signatures
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1632 rundll32.exe -
Modifies Control Panel 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\International rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1632 rundll32.exe 1632 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: SeBackupPrivilege 1632 rundll32.exe Token: SeDebugPrivilege 1632 rundll32.exe Token: 36 1632 rundll32.exe Token: SeImpersonatePrivilege 1632 rundll32.exe Token: SeIncBasePriorityPrivilege 1632 rundll32.exe Token: SeIncreaseQuotaPrivilege 1632 rundll32.exe Token: 33 1632 rundll32.exe Token: SeManageVolumePrivilege 1632 rundll32.exe Token: SeProfSingleProcessPrivilege 1632 rundll32.exe Token: SeRestorePrivilege 1632 rundll32.exe Token: SeSecurityPrivilege 1632 rundll32.exe Token: SeSystemProfilePrivilege 1632 rundll32.exe Token: SeTakeOwnershipPrivilege 1632 rundll32.exe Token: SeShutdownPrivilege 1632 rundll32.exe Token: SeBackupPrivilege 1820 vssvc.exe Token: SeRestorePrivilege 1820 vssvc.exe Token: SeAuditPrivilege 1820 vssvc.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1644 wrote to memory of 1632 1644 rundll32.exe 25 PID 1644 wrote to memory of 1632 1644 rundll32.exe 25 PID 1644 wrote to memory of 1632 1644 rundll32.exe 25 PID 1644 wrote to memory of 1632 1644 rundll32.exe 25 PID 1644 wrote to memory of 1632 1644 rundll32.exe 25 PID 1644 wrote to memory of 1632 1644 rundll32.exe 25 PID 1644 wrote to memory of 1632 1644 rundll32.exe 25
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c728e3a0d4a293e44314d663945354427848c220d05d5d87cdedd9995fee3dfe.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c728e3a0d4a293e44314d663945354427848c220d05d5d87cdedd9995fee3dfe.dll,#12⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1632
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1820