Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
24-12-2021 18:09
Static task
static1
Behavioral task
behavioral1
Sample
70344ece62a828c46ff315b3328125d8ab5f6902bbeaa24224fee97142ee6ad9.bin.dll
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
70344ece62a828c46ff315b3328125d8ab5f6902bbeaa24224fee97142ee6ad9.bin.dll
Resource
win10-en-20211208
windows10_x64
0 signatures
0 seconds
General
-
Target
70344ece62a828c46ff315b3328125d8ab5f6902bbeaa24224fee97142ee6ad9.bin.dll
-
Size
80KB
-
MD5
5b615cfd2ec6aa4f6242197481fc108b
-
SHA1
fc366c0f83711fed7303b752abf09f2be74e2a15
-
SHA256
70344ece62a828c46ff315b3328125d8ab5f6902bbeaa24224fee97142ee6ad9
-
SHA512
6080fa1e08239533e726cae2420b885627e53a7bbf9fd1fad1d2c861ebdf94262f8540f841a8dfa1956148d7601ec7a4a22ef965a0a7776bbb96e8535c6c30fe
Score
5/10
Malware Config
Signatures
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1576 rundll32.exe -
Modifies Control Panel 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\International rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1576 rundll32.exe 1576 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: SeBackupPrivilege 1576 rundll32.exe Token: SeDebugPrivilege 1576 rundll32.exe Token: 36 1576 rundll32.exe Token: SeImpersonatePrivilege 1576 rundll32.exe Token: SeIncBasePriorityPrivilege 1576 rundll32.exe Token: SeIncreaseQuotaPrivilege 1576 rundll32.exe Token: 33 1576 rundll32.exe Token: SeManageVolumePrivilege 1576 rundll32.exe Token: SeProfSingleProcessPrivilege 1576 rundll32.exe Token: SeRestorePrivilege 1576 rundll32.exe Token: SeSecurityPrivilege 1576 rundll32.exe Token: SeSystemProfilePrivilege 1576 rundll32.exe Token: SeTakeOwnershipPrivilege 1576 rundll32.exe Token: SeShutdownPrivilege 1576 rundll32.exe Token: SeBackupPrivilege 816 vssvc.exe Token: SeRestorePrivilege 816 vssvc.exe Token: SeAuditPrivilege 816 vssvc.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 544 wrote to memory of 1576 544 rundll32.exe 27 PID 544 wrote to memory of 1576 544 rundll32.exe 27 PID 544 wrote to memory of 1576 544 rundll32.exe 27 PID 544 wrote to memory of 1576 544 rundll32.exe 27 PID 544 wrote to memory of 1576 544 rundll32.exe 27 PID 544 wrote to memory of 1576 544 rundll32.exe 27 PID 544 wrote to memory of 1576 544 rundll32.exe 27
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\70344ece62a828c46ff315b3328125d8ab5f6902bbeaa24224fee97142ee6ad9.bin.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\70344ece62a828c46ff315b3328125d8ab5f6902bbeaa24224fee97142ee6ad9.bin.dll,#12⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1576
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:816