305a92a3584e9cc830707e79a8a39cf2097076841772860d00223a4eadd6bf9e

Analysis

max time kernel
91s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 18:06

Target

305a92a3584e9cc830707e79a8a39cf2097076841772860d00223a4eadd6bf9e.dll
Size

181KB
MD5

d6eff41ab9f91f22cb7dffbfd748d441
SHA1

0dff7e32abb11cf84aee1cd288d44d443e7d9850
SHA256

305a92a3584e9cc830707e79a8a39cf2097076841772860d00223a4eadd6bf9e
SHA512

143e9c24dd7fe6386b57b39d0e6b2dc5d3e0b0ab7c9c1f4214afd5a9cc7c2798b05c6b828f42427657ad5cd6040f96c286912f6873eb71e9e71c92e9cecca805
SSDEEP

3072:vapksoi/OWfz+NocZYzErTfP3VF2QORYchO/6a8q+0IwJAmTx7IbWNo1VQ:Gksoi/ZzOCzI2fxhO/v8qpIQZx7I91S

Score

8^/10

upx

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/4936-133-0x00000000757B0000-0x0000000075806000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4936	rundll32.exe
4936	rundll32.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5052 wrote to memory of 4936	5052	rundll32.exe	81
PID 5052 wrote to memory of 4936	5052	rundll32.exe	81
PID 5052 wrote to memory of 4936	5052	rundll32.exe	81

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\305a92a3584e9cc830707e79a8a39cf2097076841772860d00223a4eadd6bf9e.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\305a92a3584e9cc830707e79a8a39cf2097076841772860d00223a4eadd6bf9e.dll,#1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4936

memory/4936-133-0x00000000757B0000-0x0000000075806000-memory.dmp

Filesize
344KB

Download