Analysis
-
max time kernel
95s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
02-02-2023 23:16
Static task
static1
Behavioral task
behavioral1
Sample
a629e4cdc326f8c4f63bd1794f5eeb8f6a86f289d715bdf944fa46e085920cd7.dll
Resource
win7-20221111-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
a629e4cdc326f8c4f63bd1794f5eeb8f6a86f289d715bdf944fa46e085920cd7.dll
Resource
win10v2004-20221111-en
windows10-2004-x64
4 signatures
150 seconds
General
-
Target
a629e4cdc326f8c4f63bd1794f5eeb8f6a86f289d715bdf944fa46e085920cd7.dll
-
Size
106KB
-
MD5
59c2f5f09711902e3a75f726ba31462e
-
SHA1
74ecfec2d8ad276f2f4ebc55a0718d3ce4110e1b
-
SHA256
a629e4cdc326f8c4f63bd1794f5eeb8f6a86f289d715bdf944fa46e085920cd7
-
SHA512
5ea6060fe38c92269cc751dfbc8127166c5be5f421ed38b93aaff940d8908f87a52458268e70a2c06ea47dcd0c1e109787b5b3c5821c746ee337da518b632a41
-
SSDEEP
1536:qzICS4A30TY1kUS/U2ztdS1I6DdL9Ta1T3P07nCVuhKhl3EgemhbPcG:ZJ0TYyUS/U2RgGWL9+OguhKb3E9gPJ
Score
1/10
Malware Config
Signatures
-
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vXVM5UI4x rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vXVM5UI4x\ = "vXVM5UI4x" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\vXVM5UI4x\DefaultIcon rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\vXVM5UI4x rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\vXVM5UI4x\DefaultIcon\ = "C:\\ProgramData\\vXVM5UI4x.ico" rundll32.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4868 rundll32.exe 4868 rundll32.exe 4868 rundll32.exe 4868 rundll32.exe 4868 rundll32.exe 4868 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 4868 rundll32.exe Token: SeBackupPrivilege 4868 rundll32.exe Token: SeDebugPrivilege 4868 rundll32.exe Token: 36 4868 rundll32.exe Token: SeImpersonatePrivilege 4868 rundll32.exe Token: SeIncBasePriorityPrivilege 4868 rundll32.exe Token: SeIncreaseQuotaPrivilege 4868 rundll32.exe Token: 33 4868 rundll32.exe Token: SeManageVolumePrivilege 4868 rundll32.exe Token: SeProfSingleProcessPrivilege 4868 rundll32.exe Token: SeRestorePrivilege 4868 rundll32.exe Token: SeSecurityPrivilege 4868 rundll32.exe Token: SeSystemProfilePrivilege 4868 rundll32.exe Token: SeTakeOwnershipPrivilege 4868 rundll32.exe Token: SeShutdownPrivilege 4868 rundll32.exe Token: SeDebugPrivilege 4868 rundll32.exe Token: SeAssignPrimaryTokenPrivilege 4868 rundll32.exe Token: SeBackupPrivilege 4868 rundll32.exe Token: SeDebugPrivilege 4868 rundll32.exe Token: 36 4868 rundll32.exe Token: SeImpersonatePrivilege 4868 rundll32.exe Token: SeIncBasePriorityPrivilege 4868 rundll32.exe Token: SeIncreaseQuotaPrivilege 4868 rundll32.exe Token: 33 4868 rundll32.exe Token: SeManageVolumePrivilege 4868 rundll32.exe Token: SeProfSingleProcessPrivilege 4868 rundll32.exe Token: SeRestorePrivilege 4868 rundll32.exe Token: SeSecurityPrivilege 4868 rundll32.exe Token: SeSystemProfilePrivilege 4868 rundll32.exe Token: SeTakeOwnershipPrivilege 4868 rundll32.exe Token: SeShutdownPrivilege 4868 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4212 wrote to memory of 4868 4212 rundll32.exe 78 PID 4212 wrote to memory of 4868 4212 rundll32.exe 78 PID 4212 wrote to memory of 4868 4212 rundll32.exe 78
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a629e4cdc326f8c4f63bd1794f5eeb8f6a86f289d715bdf944fa46e085920cd7.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a629e4cdc326f8c4f63bd1794f5eeb8f6a86f289d715bdf944fa46e085920cd7.dll,#12⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4868
-