Analysis
-
max time kernel
4294179s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
29-03-2022 09:37
Static task
static1
Behavioral task
behavioral1
Sample
talisman.dll
Resource
win7-20220311-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
talisman.dll
Resource
win10v2004-en-20220113
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
talisman.dll
-
Size
228KB
-
MD5
c6c6162cca729c4da879879b126d27c0
-
SHA1
80e5fd86127de526be75ef42ebc390fb0d559791
-
SHA256
344fc6c3211e169593ab1345a5cfa9bcb46a4604fe61ab212c9316c0d72b0865
-
SHA512
8e28e787bbb5f88211657148478351807c19cc47c2a1665f802927d9d6c9c0b0b6e0fb52e424aad011cdf70464feffbb1f2929a7ba37f69d758f85b337b55bf6
Score
1/10
Malware Config
Signatures
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\CLASSES\FAST rundll32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 32004200370046004200360046004300440044003500450041004400310034000000 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 280 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 280 rundll32.exe Token: SeTcbPrivilege 280 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1604 wrote to memory of 280 1604 rundll32.exe 27 PID 1604 wrote to memory of 280 1604 rundll32.exe 27 PID 1604 wrote to memory of 280 1604 rundll32.exe 27 PID 1604 wrote to memory of 280 1604 rundll32.exe 27 PID 1604 wrote to memory of 280 1604 rundll32.exe 27 PID 1604 wrote to memory of 280 1604 rundll32.exe 27 PID 1604 wrote to memory of 280 1604 rundll32.exe 27
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\talisman.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\talisman.dll,#12⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:280
-