9ebb684f13367a8b7817b787a5374f9072f9338d657c255403d991f50f6ce80c

Resubmissions

19/10/2022, 05:21

13/10/2022, 08:23

11/10/2022, 23:51

max time kernel
600s
max time network
603s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
13/10/2022, 08:23

Target

cossacks.dat.dll
Size

743KB
MD5

25d8d740a5611fb6ab2e6df583c24a00
SHA1

41142c72f3f37fad22b01c6bd9eaf572551ff465
SHA256

9ebb684f13367a8b7817b787a5374f9072f9338d657c255403d991f50f6ce80c
SHA512

2de372428bac53af5fca71e443c6f9d7ebed9bf75faf76295c5f87aad1b1a51d6c6bbe5eb418cf9a5b65d29f81bb69a2bd64cfa9cdb640c9c259f2c43f57856b
SSDEEP

12288:e+4QHixeljmtjVFJcPp+cygICZoxlSr9p6q6xMZXJMeGbX//7OT:5DXjmtjVD3cygICZwSJp6q6yZXJM5T/c

Score

1^/10

Suspicious behavior: EnumeratesProcesses 64 IoCs

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1760	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	916	taskmgr.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Suspicious use of SendNotifyMessage 33 IoCs

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 852 wrote to memory of 1760	852	rundll32.exe	27
PID 852 wrote to memory of 1760	852	rundll32.exe	27
PID 852 wrote to memory of 1760	852	rundll32.exe	27
PID 852 wrote to memory of 1760	852	rundll32.exe	27
PID 852 wrote to memory of 1760	852	rundll32.exe	27
PID 852 wrote to memory of 1760	852	rundll32.exe	27
PID 852 wrote to memory of 1760	852	rundll32.exe	27
PID 1760 wrote to memory of 1280	1760	rundll32.exe	29
PID 1760 wrote to memory of 1280	1760	rundll32.exe	29
PID 1760 wrote to memory of 1280	1760	rundll32.exe	29
PID 1760 wrote to memory of 1280	1760	rundll32.exe	29
PID 1760 wrote to memory of 1280	1760	rundll32.exe	29
PID 1760 wrote to memory of 1280	1760	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\cossacks.dat.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:852
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\cossacks.dat.dll,#1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Windows\SysWOW64\wermgr.exe
    C:\Windows\SysWOW64\wermgr.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1280

memory/916-62-0x000007FEFB651000-0x000007FEFB653000-memory.dmp

Filesize
8KB

Download
memory/916-64-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/916-63-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1280-69-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/1280-68-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/1760-57-0x00000000003F0000-0x0000000000419000-memory.dmp

Filesize
164KB

Download
memory/1760-61-0x00000000003F0000-0x0000000000419000-memory.dmp

Filesize
164KB

Download
memory/1760-60-0x00000000002F0000-0x0000000000319000-memory.dmp

Filesize
164KB

Download
memory/1760-59-0x00000000003F0000-0x0000000000419000-memory.dmp

Filesize
164KB

Download
memory/1760-58-0x00000000003F0000-0x0000000000419000-memory.dmp

Filesize
164KB

Download
memory/1760-67-0x00000000003F0000-0x0000000000419000-memory.dmp

Filesize
164KB

Download
memory/1760-56-0x00000000001C0000-0x000000000027E000-memory.dmp

Filesize
760KB

Download
memory/1760-55-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

Filesize
8KB

Download