852c45049ec6e384dea40e3cc70479ad06015277646cf30da7ef9a038de9267e

Analysis

max time kernel
429s
max time network
433s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26/10/2022, 22:39

Target

852c45049ec6e384dea40e3cc70479ad06015277646cf30da7ef9a038de9267e.dll
Size

11KB
MD5

2563874010c5adf9009cb9b231c3d0fc
SHA1

379db96603a3d0264ea2840de47da19aee38b1c9
SHA256

852c45049ec6e384dea40e3cc70479ad06015277646cf30da7ef9a038de9267e
SHA512

c54f9d168978e834126768c5799cb9068f65dff6beabce73b7298202425f78f7f7c01ec7d4949f07c7157067993a1c3da93071fe950a0faab4d96c28abbd6412
SSDEEP

192:lauTvq4xfawaSuRCi8LKcrSCI1EtuXUqsENhqj1acYu9x0ylNmsUJiSIqLVJTho7:ld7q4VawaSuiSOtuEohqj1XYux00mwq6

Score

1^/10

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1360	rundll32.exe
Token: SeSecurityPrivilege	1360	rundll32.exe
Token: SeTakeOwnershipPrivilege	1360	rundll32.exe
Token: SeLoadDriverPrivilege	1360	rundll32.exe
Token: SeSystemProfilePrivilege	1360	rundll32.exe
Token: SeSystemtimePrivilege	1360	rundll32.exe
Token: SeProfSingleProcessPrivilege	1360	rundll32.exe
Token: SeIncBasePriorityPrivilege	1360	rundll32.exe
Token: SeCreatePagefilePrivilege	1360	rundll32.exe
Token: SeBackupPrivilege	1360	rundll32.exe
Token: SeRestorePrivilege	1360	rundll32.exe
Token: SeShutdownPrivilege	1360	rundll32.exe
Token: SeDebugPrivilege	1360	rundll32.exe
Token: SeSystemEnvironmentPrivilege	1360	rundll32.exe
Token: SeChangeNotifyPrivilege	1360	rundll32.exe
Token: SeRemoteShutdownPrivilege	1360	rundll32.exe
Token: SeUndockPrivilege	1360	rundll32.exe
Token: SeManageVolumePrivilege	1360	rundll32.exe
Token: SeImpersonatePrivilege	1360	rundll32.exe
Token: SeCreateGlobalPrivilege	1360	rundll32.exe
Token: 33	1360	rundll32.exe
Token: 34	1360	rundll32.exe
Token: 35	1360	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 1360	1512	rundll32.exe	27
PID 1512 wrote to memory of 1360	1512	rundll32.exe	27
PID 1512 wrote to memory of 1360	1512	rundll32.exe	27
PID 1512 wrote to memory of 1360	1512	rundll32.exe	27
PID 1512 wrote to memory of 1360	1512	rundll32.exe	27
PID 1512 wrote to memory of 1360	1512	rundll32.exe	27
PID 1512 wrote to memory of 1360	1512	rundll32.exe	27

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\852c45049ec6e384dea40e3cc70479ad06015277646cf30da7ef9a038de9267e.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\852c45049ec6e384dea40e3cc70479ad06015277646cf30da7ef9a038de9267e.dll,#1
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1360

memory/1360-55-0x00000000756A1000-0x00000000756A3000-memory.dmp

Filesize
8KB

Download
memory/1360-56-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/1360-57-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/1360-58-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download