ccff78dc2bb8dad3ea16a7730c955774e552b4f004ec6941b59f8c31e5834689

Analysis

max time kernel
41s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 14:26

Target

ccff78dc2bb8dad3ea16a7730c955774e552b4f004ec6941b59f8c31e5834689.dll
Size

109KB
MD5

1768b5cbbb9661b9a63c62d432af4f1f
SHA1

40473cf43b5a5e4c173b691451835756fdeec285
SHA256

ccff78dc2bb8dad3ea16a7730c955774e552b4f004ec6941b59f8c31e5834689
SHA512

8edf090077a492fecc600fde1d3e52b96a3c9008aa32f3c78a528827e33b22b02201b3ec16ea5e6309f2bd3c3a5aad011ae1e45561a5131855a042e9c972529e
SSDEEP

3072:FD8APzVS69hnPbBWrmQ2OIVPBNOJvW4BEuK:P559AmQloLWO4

Score

1^/10

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1620	rundll32.exe
Token: SeSecurityPrivilege	1620	rundll32.exe
Token: SeTakeOwnershipPrivilege	1620	rundll32.exe
Token: SeLoadDriverPrivilege	1620	rundll32.exe
Token: SeSystemProfilePrivilege	1620	rundll32.exe
Token: SeSystemtimePrivilege	1620	rundll32.exe
Token: SeProfSingleProcessPrivilege	1620	rundll32.exe
Token: SeIncBasePriorityPrivilege	1620	rundll32.exe
Token: SeCreatePagefilePrivilege	1620	rundll32.exe
Token: SeShutdownPrivilege	1620	rundll32.exe
Token: SeDebugPrivilege	1620	rundll32.exe
Token: SeSystemEnvironmentPrivilege	1620	rundll32.exe
Token: SeRemoteShutdownPrivilege	1620	rundll32.exe
Token: SeUndockPrivilege	1620	rundll32.exe
Token: SeManageVolumePrivilege	1620	rundll32.exe
Token: 33	1620	rundll32.exe
Token: 34	1620	rundll32.exe
Token: 35	1620	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1208 wrote to memory of 1620	1208	rundll32.exe	27
PID 1208 wrote to memory of 1620	1208	rundll32.exe	27
PID 1208 wrote to memory of 1620	1208	rundll32.exe	27
PID 1208 wrote to memory of 1620	1208	rundll32.exe	27
PID 1208 wrote to memory of 1620	1208	rundll32.exe	27
PID 1208 wrote to memory of 1620	1208	rundll32.exe	27
PID 1208 wrote to memory of 1620	1208	rundll32.exe	27

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ccff78dc2bb8dad3ea16a7730c955774e552b4f004ec6941b59f8c31e5834689.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\ccff78dc2bb8dad3ea16a7730c955774e552b4f004ec6941b59f8c31e5834689.dll,#1
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1620

memory/1620-55-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download