Analysis
-
max time kernel
30s -
max time network
74s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
03/12/2022, 23:35
Static task
static1
Behavioral task
behavioral1
Sample
f3a3b2f45320680c1eb364c3411e11cc7b34893a47913023c42dfae38ec7bb10.dll
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
f3a3b2f45320680c1eb364c3411e11cc7b34893a47913023c42dfae38ec7bb10.dll
Resource
win10v2004-20220812-en
General
-
Target
f3a3b2f45320680c1eb364c3411e11cc7b34893a47913023c42dfae38ec7bb10.dll
-
Size
238KB
-
MD5
e84b4b7765930ba7138c52e98409e210
-
SHA1
b3f52a6443f55c596e226039042b550c5b066ae9
-
SHA256
f3a3b2f45320680c1eb364c3411e11cc7b34893a47913023c42dfae38ec7bb10
-
SHA512
bae6f2aba2d3bb771bbb687a2d2cbc6ed59ebbe28d89ae8196b1e6b23b7be9f98b126d26febf790fb72880ba412928c5305135c0777c2fba89d467b3d5e9a346
-
SSDEEP
3072:JnXrqiu9G4DAW0X5iUgPcXwA6aI5k4IcvRVCIdlaEZ+XH1b85ueZQFCVkOchFglJ:JnbdyG4E581VjJXd8y+XMQF8kBF2q4
Malware Config
Signatures
-
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\win.ini rundll32.exe File opened for modification C:\Windows\tawisys.ini rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1308 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 956 wrote to memory of 1308 956 rundll32.exe 28 PID 956 wrote to memory of 1308 956 rundll32.exe 28 PID 956 wrote to memory of 1308 956 rundll32.exe 28 PID 956 wrote to memory of 1308 956 rundll32.exe 28 PID 956 wrote to memory of 1308 956 rundll32.exe 28 PID 956 wrote to memory of 1308 956 rundll32.exe 28 PID 956 wrote to memory of 1308 956 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f3a3b2f45320680c1eb364c3411e11cc7b34893a47913023c42dfae38ec7bb10.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f3a3b2f45320680c1eb364c3411e11cc7b34893a47913023c42dfae38ec7bb10.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1308
-