035c1959eb274806f26b2e6c29d13152eeacb976560de99a331b4ece1de367b8 | Triage

Analysis

max time kernel
184s
max time network
204s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 19:12

Sharing

Report Analysis Logs

General

Target

madCHook.dll
Size

123KB
MD5

369d077a89a03823debf94ed5e0dfcd1
SHA1

a14bdc948373e84b24798e20a7e91d59ad67c8ba
SHA256

a9a1e9fa16890d4b51b514adddec3e5592fbf2ee25611029c67c813225c54ee9
SHA512

5506c4f8022fc9d607f86e59e1aceab2c29c6eac721604e308fb6e26134a88061c06929e5a13409555e660d4e957943306e7cc35eb917bd262496726926ac5b5
SSDEEP

3072:Yfx6nz7ixioxKHncfwUi8yqEZ6vMDPYnDa+nER:2x6z7ixrC/qfnDa+n

Score

1^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

rundll32.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1668	rundll32.exe
Token: SeSecurityPrivilege	1668	rundll32.exe
Token: SeTakeOwnershipPrivilege	1668	rundll32.exe
Token: SeLoadDriverPrivilege	1668	rundll32.exe
Token: SeSystemProfilePrivilege	1668	rundll32.exe
Token: SeSystemtimePrivilege	1668	rundll32.exe
Token: SeProfSingleProcessPrivilege	1668	rundll32.exe
Token: SeIncBasePriorityPrivilege	1668	rundll32.exe
Token: SeCreatePagefilePrivilege	1668	rundll32.exe
Token: SeShutdownPrivilege	1668	rundll32.exe
Token: SeDebugPrivilege	1668	rundll32.exe
Token: SeSystemEnvironmentPrivilege	1668	rundll32.exe
Token: SeRemoteShutdownPrivilege	1668	rundll32.exe
Token: SeUndockPrivilege	1668	rundll32.exe
Token: SeManageVolumePrivilege	1668	rundll32.exe
Token: 33	1668	rundll32.exe
Token: 34	1668	rundll32.exe
Token: 35	1668	rundll32.exe
Token: 36	1668	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1368 wrote to memory of 1668	1368	rundll32.exe	rundll32.exe
PID 1368 wrote to memory of 1668	1368	rundll32.exe	rundll32.exe
PID 1368 wrote to memory of 1668	1368	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\madCHook.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\madCHook.dll,#1
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1668

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1668-132-0x0000000000000000-mapping.dmp

Download