09938bcf30064a4c820772d773523e06b4aafad7c32eb1448cf2d2d2747122c0

Analysis

max time kernel
27s
max time network
30s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
08-01-2023 19:59

Target

09938bcf30064a4c820772d773523e06b4aafad7c32eb1448cf2d2d2747122c0.dll
Size

932KB
MD5

db9bf1943f759509a0e05573e30b9258
SHA1

311571e2ccd1d8b5ee26b7c014aeeb26d8397931
SHA256

09938bcf30064a4c820772d773523e06b4aafad7c32eb1448cf2d2d2747122c0
SHA512

1b965e6c36791b0ed06c907d19d63a6c0521cc26403b4f7bbec25d8c0a3c7157a1fcc9f01af1aabe95e069d303ec47489452a0fdf43a084530be9b33fbb95ff3
SSDEEP

24576:5hzAZesxZQNZo7f4JjVMYSHA974CZCsrDzF:5+oMc74ArN

Score

10^/10

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1420 created 480	1420	rundll32.exe	1

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1420	rundll32.exe
1420	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1420	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1420	rundll32.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 628 wrote to memory of 1420	628	rundll32.exe	28
PID 628 wrote to memory of 1420	628	rundll32.exe	28
PID 628 wrote to memory of 1420	628	rundll32.exe	28
PID 628 wrote to memory of 1420	628	rundll32.exe	28
PID 628 wrote to memory of 1420	628	rundll32.exe	28
PID 628 wrote to memory of 1420	628	rundll32.exe	28
PID 628 wrote to memory of 1420	628	rundll32.exe	28
PID 1420 wrote to memory of 1040	1420	rundll32.exe	29
PID 1420 wrote to memory of 1040	1420	rundll32.exe	29
PID 1420 wrote to memory of 1040	1420	rundll32.exe	29
PID 1420 wrote to memory of 1040	1420	rundll32.exe	29
PID 1420 wrote to memory of 1664	1420	rundll32.exe	31
PID 1420 wrote to memory of 1664	1420	rundll32.exe	31
PID 1420 wrote to memory of 1664	1420	rundll32.exe	31
PID 1420 wrote to memory of 1664	1420	rundll32.exe	31
PID 1420 wrote to memory of 1664	1420	rundll32.exe	31
PID 1420 wrote to memory of 1664	1420	rundll32.exe	31
PID 1420 wrote to memory of 1664	1420	rundll32.exe	31

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:480
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\SysWOW64\rundll32.exe
  2⤵
  PID:1664

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\09938bcf30064a4c820772d773523e06b4aafad7c32eb1448cf2d2d2747122c0.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:628
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\09938bcf30064a4c820772d773523e06b4aafad7c32eb1448cf2d2d2747122c0.dll,#1
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\System32\cmd.exe
    3⤵
    PID:1040

memory/1420-55-0x0000000075C81000-0x0000000075C83000-memory.dmp

Filesize
8KB

Download