8662a1f12f97b81552603f5bef14290c6662bfc3e2ec353fa36f2ad606d6c72d

Analysis

max time kernel
152s
max time network
55s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02-12-2022 01:11

Target

8662a1f12f97b81552603f5bef14290c6662bfc3e2ec353fa36f2ad606d6c72d.dll
Size

214KB
MD5

0d0d9b1bc7a6c552510e6254f04047d5
SHA1

751e6e0ac79ef565541a45adf5a26f0fa85e9ded
SHA256

8662a1f12f97b81552603f5bef14290c6662bfc3e2ec353fa36f2ad606d6c72d
SHA512

73da3570973fe54e8d6ef941a99aa20c8087193fdb01c9458d3a485e764e6a1c58a973e1d0fdc1fe88e58745651db1035430ab96a8c940d08a4499026341d157
SSDEEP

3072:2OI7i4O0nAznJZ1+xhvuS0P96FcZDaQ9ynIbbVrkZ/toG3:2O0fOMqJ8hvQlNZOHnIbbVrkZT

Score

7^/10

Loads dropped DLL 1 IoCs

pid	Process
1552	svchost.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Cvye\Wpsaamlkj.gif	rundll32.exe
File created	C:\Program Files (x86)\Cvye\Wpsaamlkj.gif	rundll32.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

Suspicious use of AdjustPrivilegeToken 8 IoCs

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 2000	1688	rundll32.exe	27
PID 1688 wrote to memory of 2000	1688	rundll32.exe	27
PID 1688 wrote to memory of 2000	1688	rundll32.exe	27
PID 1688 wrote to memory of 2000	1688	rundll32.exe	27
PID 1688 wrote to memory of 2000	1688	rundll32.exe	27
PID 1688 wrote to memory of 2000	1688	rundll32.exe	27
PID 1688 wrote to memory of 2000	1688	rundll32.exe	27

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8662a1f12f97b81552603f5bef14290c6662bfc3e2ec353fa36f2ad606d6c72d.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\8662a1f12f97b81552603f5bef14290c6662bfc3e2ec353fa36f2ad606d6c72d.dll,#1
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2000

\??\c:\program files (x86)\cvye\wpsaamlkj.gif

Filesize
5.5MB

MD5
bce5922321262acffe68a554a292b27d

SHA1
242ab5e59e48317fc9bd13a79f08cd4439b5a628

SHA256
b2f2d4dfaf88a8e1dcf93461dde1dda8c86a546f3fa6d708a7b663c00c134408

SHA512
7a08db155f2b57260b66377b115f8d74ebb65a7989a3ca1b426dc5fd79e86d15461d5119f5c2ed6c380c317bd5612383404f5685e774b44b8e5e61cb278b7a96

Download Submit
\Program Files (x86)\Cvye\Wpsaamlkj.gif

Filesize
5.5MB

MD5
bce5922321262acffe68a554a292b27d

SHA1
242ab5e59e48317fc9bd13a79f08cd4439b5a628

SHA256
b2f2d4dfaf88a8e1dcf93461dde1dda8c86a546f3fa6d708a7b663c00c134408

SHA512
7a08db155f2b57260b66377b115f8d74ebb65a7989a3ca1b426dc5fd79e86d15461d5119f5c2ed6c380c317bd5612383404f5685e774b44b8e5e61cb278b7a96

Download Submit
memory/1552-60-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/2000-54-0x0000000000000000-mapping.dmp

Download
memory/2000-55-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/2000-56-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download