b3ea0f4f442da3106c0d4f97cf20e244b84d719232ca90b3b7fc6e59e37e1ca1

Analysis

max time kernel
513s
max time network
516s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
02/02/2023, 19:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b3ea0f4f442da3106c0d4f97cf20e244b84d719232ca90b3b7fc6e59e37e1ca1.dll
Size

242KB
MD5

37355f4fd63e7abd89bdc841ed98229f
SHA1

a8d46a042e6095d7671dbac2aeff74c7bb5e792a
SHA256

b3ea0f4f442da3106c0d4f97cf20e244b84d719232ca90b3b7fc6e59e37e1ca1
SHA512

d40b42564ab8d7111e66159e8c176aeef6c8280aeb25edc28d464ca7c052274a41b5843bebb122be0066de3fdd80ee3216953ccbdc2106f900484c4c7f686d7b
SSDEEP

3072:s4WFqwI3hbcVWJO5trDcEZn7YhX7wB0SZk5MVMvs4tL7wUQk3lFjMXV:B5MMCtroEVYB7wqMVMIGA

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3928	rundll32.exe
3928	rundll32.exe
3928	rundll32.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeBackupPrivilege	2904	vssvc.exe
Token: SeRestorePrivilege	2904	vssvc.exe
Token: SeAuditPrivilege	2904	vssvc.exe
Token: SeIncreaseQuotaPrivilege	4912	WMIC.exe
Token: SeSecurityPrivilege	4912	WMIC.exe
Token: SeTakeOwnershipPrivilege	4912	WMIC.exe
Token: SeLoadDriverPrivilege	4912	WMIC.exe
Token: SeSystemProfilePrivilege	4912	WMIC.exe
Token: SeSystemtimePrivilege	4912	WMIC.exe
Token: SeProfSingleProcessPrivilege	4912	WMIC.exe
Token: SeIncBasePriorityPrivilege	4912	WMIC.exe
Token: SeCreatePagefilePrivilege	4912	WMIC.exe
Token: SeBackupPrivilege	4912	WMIC.exe
Token: SeRestorePrivilege	4912	WMIC.exe
Token: SeShutdownPrivilege	4912	WMIC.exe
Token: SeDebugPrivilege	4912	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4912	WMIC.exe
Token: SeRemoteShutdownPrivilege	4912	WMIC.exe
Token: SeUndockPrivilege	4912	WMIC.exe
Token: SeManageVolumePrivilege	4912	WMIC.exe
Token: 33	4912	WMIC.exe
Token: 34	4912	WMIC.exe
Token: 35	4912	WMIC.exe
Token: 36	4912	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4912	WMIC.exe
Token: SeSecurityPrivilege	4912	WMIC.exe
Token: SeTakeOwnershipPrivilege	4912	WMIC.exe
Token: SeLoadDriverPrivilege	4912	WMIC.exe
Token: SeSystemProfilePrivilege	4912	WMIC.exe
Token: SeSystemtimePrivilege	4912	WMIC.exe
Token: SeProfSingleProcessPrivilege	4912	WMIC.exe
Token: SeIncBasePriorityPrivilege	4912	WMIC.exe
Token: SeCreatePagefilePrivilege	4912	WMIC.exe
Token: SeBackupPrivilege	4912	WMIC.exe
Token: SeRestorePrivilege	4912	WMIC.exe
Token: SeShutdownPrivilege	4912	WMIC.exe
Token: SeDebugPrivilege	4912	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4912	WMIC.exe
Token: SeRemoteShutdownPrivilege	4912	WMIC.exe
Token: SeUndockPrivilege	4912	WMIC.exe
Token: SeManageVolumePrivilege	4912	WMIC.exe
Token: 33	4912	WMIC.exe
Token: 34	4912	WMIC.exe
Token: 35	4912	WMIC.exe
Token: 36	4912	WMIC.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3928 wrote to memory of 5072	3928	rundll32.exe	84
PID 3928 wrote to memory of 5072	3928	rundll32.exe	84
PID 5072 wrote to memory of 4912	5072	cmd.exe	86
PID 5072 wrote to memory of 4912	5072	cmd.exe	86

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b3ea0f4f442da3106c0d4f97cf20e244b84d719232ca90b3b7fc6e59e37e1ca1.dll,#1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3928
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F35FB671-1EC1-4105-8D0E-A7361B31BF47}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5072
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F35FB671-1EC1-4105-8D0E-A7361B31BF47}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4912

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2904

Windows 7 deprecation

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads