300a9dcd1521f08f0516a1578d3c5ec72e8c25501b300a886b9b2ff74107d9a3

Analysis

max time kernel
170s
max time network
191s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
02/12/2022, 22:57

Target

300a9dcd1521f08f0516a1578d3c5ec72e8c25501b300a886b9b2ff74107d9a3.dll
Size

132KB
MD5

80dcee8c8858c5e1123692425da2e962
SHA1

02d2a9adcd60de8e8c4905f54377934f03c0bf59
SHA256

300a9dcd1521f08f0516a1578d3c5ec72e8c25501b300a886b9b2ff74107d9a3
SHA512

47ed7952dd09803f6df071b77e94e5fcaad60bc033ec7454656344d9b0e35250606da41a171c1c6f6ac9ad6f412e460869f642b11cbb524d98513a512d0ad1d7
SSDEEP

1536:gfxdLVZgZVOjClgHpwNmFmwYps0nd4d5AgjE/887CXnPufK7RP7:EbnWwYpRndtPgPufI7

Score

8^/10

Executes dropped EXE 1 IoCs

pid	Process
3572	rundll32mgr.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	3572	rundll32mgr.exe
Token: SeDebugPrivilege	3572	rundll32mgr.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4256 wrote to memory of 1672	4256	rundll32.exe	83
PID 4256 wrote to memory of 1672	4256	rundll32.exe	83
PID 4256 wrote to memory of 1672	4256	rundll32.exe	83
PID 1672 wrote to memory of 3572	1672	rundll32.exe	84
PID 1672 wrote to memory of 3572	1672	rundll32.exe	84
PID 1672 wrote to memory of 3572	1672	rundll32.exe	84
PID 3572 wrote to memory of 316	3572	rundll32mgr.exe	85
PID 3572 wrote to memory of 316	3572	rundll32mgr.exe	85
PID 3572 wrote to memory of 316	3572	rundll32mgr.exe	85

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\300a9dcd1521f08f0516a1578d3c5ec72e8c25501b300a886b9b2ff74107d9a3.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4256
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\300a9dcd1521f08f0516a1578d3c5ec72e8c25501b300a886b9b2ff74107d9a3.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3572
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      4⤵
      PID:316

C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
109KB

MD5
78036c32093e1442208584bf60fed0a5

SHA1
958f6b326ec4a3782a301b225b97b7025addf8ec

SHA256
5b33da19431d37272fbc06dde361cb17035d5c09fd6fb9c26c01fb90fe55c61d

SHA512
5b275e7c4166e5d90a647c57fd032691834338457911bb5a4044dd35faba27afaba53dc835cf627f8bdd458f48ffaed28b9d65e6b521442cc571251ac8aefa5d

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
109KB

MD5
78036c32093e1442208584bf60fed0a5

SHA1
958f6b326ec4a3782a301b225b97b7025addf8ec

SHA256
5b33da19431d37272fbc06dde361cb17035d5c09fd6fb9c26c01fb90fe55c61d

SHA512
5b275e7c4166e5d90a647c57fd032691834338457911bb5a4044dd35faba27afaba53dc835cf627f8bdd458f48ffaed28b9d65e6b521442cc571251ac8aefa5d

Download Submit
memory/1672-133-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download
memory/3572-136-0x000000000042A000-0x0000000000438000-memory.dmp

Filesize
56KB

Download
memory/3572-139-0x0000000000400000-0x00000000004374CC-memory.dmp

Filesize
221KB

Download