Analysis
-
max time kernel
75s -
max time network
53s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
02-02-2023 19:06
Static task
static1
Behavioral task
behavioral1
Sample
b3ea0f4f442da3106c0d4f97cf20e244b84d719232ca90b3b7fc6e59e37e1ca1.dll
Resource
win7-20220812-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
b3ea0f4f442da3106c0d4f97cf20e244b84d719232ca90b3b7fc6e59e37e1ca1.dll
Resource
win10v2004-20221111-en
windows10-2004-x64
3 signatures
150 seconds
General
-
Target
b3ea0f4f442da3106c0d4f97cf20e244b84d719232ca90b3b7fc6e59e37e1ca1.dll
-
Size
242KB
-
MD5
37355f4fd63e7abd89bdc841ed98229f
-
SHA1
a8d46a042e6095d7671dbac2aeff74c7bb5e792a
-
SHA256
b3ea0f4f442da3106c0d4f97cf20e244b84d719232ca90b3b7fc6e59e37e1ca1
-
SHA512
d40b42564ab8d7111e66159e8c176aeef6c8280aeb25edc28d464ca7c052274a41b5843bebb122be0066de3fdd80ee3216953ccbdc2106f900484c4c7f686d7b
-
SSDEEP
3072:s4WFqwI3hbcVWJO5trDcEZn7YhX7wB0SZk5MVMvs4tL7wUQk3lFjMXV:B5MMCtroEVYB7wqMVMIGA
Score
1/10
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1636 rundll32.exe 1636 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeBackupPrivilege 1812 vssvc.exe Token: SeRestorePrivilege 1812 vssvc.exe Token: SeAuditPrivilege 1812 vssvc.exe Token: SeIncreaseQuotaPrivilege 1164 WMIC.exe Token: SeSecurityPrivilege 1164 WMIC.exe Token: SeTakeOwnershipPrivilege 1164 WMIC.exe Token: SeLoadDriverPrivilege 1164 WMIC.exe Token: SeSystemProfilePrivilege 1164 WMIC.exe Token: SeSystemtimePrivilege 1164 WMIC.exe Token: SeProfSingleProcessPrivilege 1164 WMIC.exe Token: SeIncBasePriorityPrivilege 1164 WMIC.exe Token: SeCreatePagefilePrivilege 1164 WMIC.exe Token: SeBackupPrivilege 1164 WMIC.exe Token: SeRestorePrivilege 1164 WMIC.exe Token: SeShutdownPrivilege 1164 WMIC.exe Token: SeDebugPrivilege 1164 WMIC.exe Token: SeSystemEnvironmentPrivilege 1164 WMIC.exe Token: SeRemoteShutdownPrivilege 1164 WMIC.exe Token: SeUndockPrivilege 1164 WMIC.exe Token: SeManageVolumePrivilege 1164 WMIC.exe Token: 33 1164 WMIC.exe Token: 34 1164 WMIC.exe Token: 35 1164 WMIC.exe Token: SeIncreaseQuotaPrivilege 1164 WMIC.exe Token: SeSecurityPrivilege 1164 WMIC.exe Token: SeTakeOwnershipPrivilege 1164 WMIC.exe Token: SeLoadDriverPrivilege 1164 WMIC.exe Token: SeSystemProfilePrivilege 1164 WMIC.exe Token: SeSystemtimePrivilege 1164 WMIC.exe Token: SeProfSingleProcessPrivilege 1164 WMIC.exe Token: SeIncBasePriorityPrivilege 1164 WMIC.exe Token: SeCreatePagefilePrivilege 1164 WMIC.exe Token: SeBackupPrivilege 1164 WMIC.exe Token: SeRestorePrivilege 1164 WMIC.exe Token: SeShutdownPrivilege 1164 WMIC.exe Token: SeDebugPrivilege 1164 WMIC.exe Token: SeSystemEnvironmentPrivilege 1164 WMIC.exe Token: SeRemoteShutdownPrivilege 1164 WMIC.exe Token: SeUndockPrivilege 1164 WMIC.exe Token: SeManageVolumePrivilege 1164 WMIC.exe Token: 33 1164 WMIC.exe Token: 34 1164 WMIC.exe Token: 35 1164 WMIC.exe Token: SeIncreaseQuotaPrivilege 1504 WMIC.exe Token: SeSecurityPrivilege 1504 WMIC.exe Token: SeTakeOwnershipPrivilege 1504 WMIC.exe Token: SeLoadDriverPrivilege 1504 WMIC.exe Token: SeSystemProfilePrivilege 1504 WMIC.exe Token: SeSystemtimePrivilege 1504 WMIC.exe Token: SeProfSingleProcessPrivilege 1504 WMIC.exe Token: SeIncBasePriorityPrivilege 1504 WMIC.exe Token: SeCreatePagefilePrivilege 1504 WMIC.exe Token: SeBackupPrivilege 1504 WMIC.exe Token: SeRestorePrivilege 1504 WMIC.exe Token: SeShutdownPrivilege 1504 WMIC.exe Token: SeDebugPrivilege 1504 WMIC.exe Token: SeSystemEnvironmentPrivilege 1504 WMIC.exe Token: SeRemoteShutdownPrivilege 1504 WMIC.exe Token: SeUndockPrivilege 1504 WMIC.exe Token: SeManageVolumePrivilege 1504 WMIC.exe Token: 33 1504 WMIC.exe Token: 34 1504 WMIC.exe Token: 35 1504 WMIC.exe Token: SeIncreaseQuotaPrivilege 1504 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1636 wrote to memory of 876 1636 rundll32.exe 30 PID 1636 wrote to memory of 876 1636 rundll32.exe 30 PID 1636 wrote to memory of 876 1636 rundll32.exe 30 PID 876 wrote to memory of 1164 876 cmd.exe 32 PID 876 wrote to memory of 1164 876 cmd.exe 32 PID 876 wrote to memory of 1164 876 cmd.exe 32 PID 1636 wrote to memory of 1336 1636 rundll32.exe 33 PID 1636 wrote to memory of 1336 1636 rundll32.exe 33 PID 1636 wrote to memory of 1336 1636 rundll32.exe 33 PID 1336 wrote to memory of 1504 1336 cmd.exe 35 PID 1336 wrote to memory of 1504 1336 cmd.exe 35 PID 1336 wrote to memory of 1504 1336 cmd.exe 35 PID 1636 wrote to memory of 1212 1636 rundll32.exe 36 PID 1636 wrote to memory of 1212 1636 rundll32.exe 36 PID 1636 wrote to memory of 1212 1636 rundll32.exe 36 PID 1212 wrote to memory of 1804 1212 cmd.exe 38 PID 1212 wrote to memory of 1804 1212 cmd.exe 38 PID 1212 wrote to memory of 1804 1212 cmd.exe 38 PID 1636 wrote to memory of 1616 1636 rundll32.exe 39 PID 1636 wrote to memory of 1616 1636 rundll32.exe 39 PID 1636 wrote to memory of 1616 1636 rundll32.exe 39 PID 1616 wrote to memory of 1744 1616 cmd.exe 41 PID 1616 wrote to memory of 1744 1616 cmd.exe 41 PID 1616 wrote to memory of 1744 1616 cmd.exe 41 PID 1636 wrote to memory of 1140 1636 rundll32.exe 42 PID 1636 wrote to memory of 1140 1636 rundll32.exe 42 PID 1636 wrote to memory of 1140 1636 rundll32.exe 42 PID 1140 wrote to memory of 1736 1140 cmd.exe 44 PID 1140 wrote to memory of 1736 1140 cmd.exe 44 PID 1140 wrote to memory of 1736 1140 cmd.exe 44 PID 1636 wrote to memory of 1540 1636 rundll32.exe 45 PID 1636 wrote to memory of 1540 1636 rundll32.exe 45 PID 1636 wrote to memory of 1540 1636 rundll32.exe 45 PID 1540 wrote to memory of 1500 1540 cmd.exe 47 PID 1540 wrote to memory of 1500 1540 cmd.exe 47 PID 1540 wrote to memory of 1500 1540 cmd.exe 47 PID 1636 wrote to memory of 1016 1636 rundll32.exe 48 PID 1636 wrote to memory of 1016 1636 rundll32.exe 48 PID 1636 wrote to memory of 1016 1636 rundll32.exe 48 PID 1016 wrote to memory of 1592 1016 cmd.exe 50 PID 1016 wrote to memory of 1592 1016 cmd.exe 50 PID 1016 wrote to memory of 1592 1016 cmd.exe 50 PID 1636 wrote to memory of 1784 1636 rundll32.exe 51 PID 1636 wrote to memory of 1784 1636 rundll32.exe 51 PID 1636 wrote to memory of 1784 1636 rundll32.exe 51 PID 1784 wrote to memory of 1964 1784 cmd.exe 53 PID 1784 wrote to memory of 1964 1784 cmd.exe 53 PID 1784 wrote to memory of 1964 1784 cmd.exe 53 PID 1636 wrote to memory of 576 1636 rundll32.exe 54 PID 1636 wrote to memory of 576 1636 rundll32.exe 54 PID 1636 wrote to memory of 576 1636 rundll32.exe 54 PID 576 wrote to memory of 1480 576 cmd.exe 56 PID 576 wrote to memory of 1480 576 cmd.exe 56 PID 576 wrote to memory of 1480 576 cmd.exe 56 PID 1636 wrote to memory of 1112 1636 rundll32.exe 57 PID 1636 wrote to memory of 1112 1636 rundll32.exe 57 PID 1636 wrote to memory of 1112 1636 rundll32.exe 57 PID 1112 wrote to memory of 1156 1112 cmd.exe 59 PID 1112 wrote to memory of 1156 1112 cmd.exe 59 PID 1112 wrote to memory of 1156 1112 cmd.exe 59 PID 1636 wrote to memory of 1212 1636 rundll32.exe 60 PID 1636 wrote to memory of 1212 1636 rundll32.exe 60 PID 1636 wrote to memory of 1212 1636 rundll32.exe 60 PID 1212 wrote to memory of 1728 1212 cmd.exe 62
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b3ea0f4f442da3106c0d4f97cf20e244b84d719232ca90b3b7fc6e59e37e1ca1.dll,#11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{309BDB4B-09FA-4B2E-A35D-461EB97EED0F}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{309BDB4B-09FA-4B2E-A35D-461EB97EED0F}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1164
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{29A0A02F-1E9E-4A50-93C4-1D938C11D8A3}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{29A0A02F-1E9E-4A50-93C4-1D938C11D8A3}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1504
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{63518277-314E-424C-927F-BE5311012F87}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{63518277-314E-424C-927F-BE5311012F87}'" delete3⤵PID:1804
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BE926DAD-1617-4795-B527-6BF393D8C84F}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BE926DAD-1617-4795-B527-6BF393D8C84F}'" delete3⤵PID:1744
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CA815155-F367-44DF-81BC-9261FA314804}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CA815155-F367-44DF-81BC-9261FA314804}'" delete3⤵PID:1736
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{40CED04A-6E3E-4F2B-A898-3A91BC30C720}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{40CED04A-6E3E-4F2B-A898-3A91BC30C720}'" delete3⤵PID:1500
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{84A94E09-FA64-4706-922F-1A42644841C7}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{84A94E09-FA64-4706-922F-1A42644841C7}'" delete3⤵PID:1592
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5310782C-4B83-44EF-A20A-4EF0D7F0F1CB}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5310782C-4B83-44EF-A20A-4EF0D7F0F1CB}'" delete3⤵PID:1964
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C1F9BEBD-4E70-454E-8D24-DD4AE488E0DD}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C1F9BEBD-4E70-454E-8D24-DD4AE488E0DD}'" delete3⤵PID:1480
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5511917A-F208-4E79-AEC9-AE6599F02876}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5511917A-F208-4E79-AEC9-AE6599F02876}'" delete3⤵PID:1156
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4B689505-5AE8-4A90-B1F2-497F7F0C4150}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4B689505-5AE8-4A90-B1F2-497F7F0C4150}'" delete3⤵PID:1728
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B3B653C1-A05E-459A-BD91-502AA66C0CEE}'" delete2⤵PID:1616
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B3B653C1-A05E-459A-BD91-502AA66C0CEE}'" delete3⤵PID:112
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A1E48722-B271-4CCD-AEF4-7F12F6FADC6A}'" delete2⤵PID:1436
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A1E48722-B271-4CCD-AEF4-7F12F6FADC6A}'" delete3⤵PID:1892
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F9276E2F-ACFF-4708-BCB1-F0A9011CD438}'" delete2⤵PID:1540
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F9276E2F-ACFF-4708-BCB1-F0A9011CD438}'" delete3⤵PID:524
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A3C8AB8E-8532-4D1E-9214-4210D792EC6A}'" delete2⤵PID:1564
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A3C8AB8E-8532-4D1E-9214-4210D792EC6A}'" delete3⤵PID:468
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0E76C29A-2DC1-410F-80E4-1E8FD3F45D65}'" delete2⤵PID:1408
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0E76C29A-2DC1-410F-80E4-1E8FD3F45D65}'" delete3⤵PID:980
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5B20EEB1-2BE5-498F-A1E2-70CDF5EC36A8}'" delete2⤵PID:576
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5B20EEB1-2BE5-498F-A1E2-70CDF5EC36A8}'" delete3⤵PID:1612
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{473003D3-A154-4F7C-9D8C-00BACFEAC351}'" delete2⤵PID:1972
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{473003D3-A154-4F7C-9D8C-00BACFEAC351}'" delete3⤵PID:832
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1812