Analysis
-
max time kernel
17s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
24-07-2022 02:02
Static task
static1
Behavioral task
behavioral1
Sample
5a0cf8a63f38d1f2797ff223048817a37851b2b10496189dc8285ef5e0aef37a.dll
Resource
win7-20220718-en
windows7-x64
5 signatures
150 seconds
General
-
Target
5a0cf8a63f38d1f2797ff223048817a37851b2b10496189dc8285ef5e0aef37a.dll
-
Size
68KB
-
MD5
78515bb8d8c306e9955b3595c3ca1919
-
SHA1
e5d423b7d57de6f227818b4da4e009b32a45f5f3
-
SHA256
5a0cf8a63f38d1f2797ff223048817a37851b2b10496189dc8285ef5e0aef37a
-
SHA512
7a03e859d432306b49efe79418dbcd3c821f12bf894a4a476bee92fb9a5a200c30f62e4884f4bbcaa87e47b24eda89149f84e24a292e6a775f7d39a60c5d01e7
Malware Config
Signatures
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
rundll32.exedescription pid process Token: SeImpersonatePrivilege 944 rundll32.exe Token: SeTcbPrivilege 944 rundll32.exe Token: SeChangeNotifyPrivilege 944 rundll32.exe Token: SeCreateTokenPrivilege 944 rundll32.exe Token: SeBackupPrivilege 944 rundll32.exe Token: SeRestorePrivilege 944 rundll32.exe Token: SeIncreaseQuotaPrivilege 944 rundll32.exe Token: SeAssignPrimaryTokenPrivilege 944 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 1416 wrote to memory of 944 1416 rundll32.exe rundll32.exe PID 1416 wrote to memory of 944 1416 rundll32.exe rundll32.exe PID 1416 wrote to memory of 944 1416 rundll32.exe rundll32.exe PID 1416 wrote to memory of 944 1416 rundll32.exe rundll32.exe PID 1416 wrote to memory of 944 1416 rundll32.exe rundll32.exe PID 1416 wrote to memory of 944 1416 rundll32.exe rundll32.exe PID 1416 wrote to memory of 944 1416 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5a0cf8a63f38d1f2797ff223048817a37851b2b10496189dc8285ef5e0aef37a.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5a0cf8a63f38d1f2797ff223048817a37851b2b10496189dc8285ef5e0aef37a.dll,#12⤵
- Suspicious use of AdjustPrivilegeToken