Analysis Overview
SHA256
329501486d4922ccf3a28e8ecf0046151e7106dc31ea6df33670d0d15d10cf54
Threat Level: Known bad
The file 329501486d4922ccf3a28e8ecf0046151e7106dc31ea6df33670d0d15d10cf54 was found to be: Known bad.
Malicious Activity Summary
SystemBC
Blocklisted process makes network request
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-02-07 23:06
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-07 23:06
Reported
2023-02-07 23:09
Platform
win10v2004-20220812-en
Max time kernel
132s
Max time network
144s
Command Line
Signatures
SystemBC
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4656 wrote to memory of 4860 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4656 wrote to memory of 4860 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4656 wrote to memory of 4860 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\329501486d4922ccf3a28e8ecf0046151e7106dc31ea6df33670d0d15d10cf54.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\329501486d4922ccf3a28e8ecf0046151e7106dc31ea6df33670d0d15d10cf54.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 52.168.117.170:443 | tcp | |
| RU | 212.118.36.165:4193 | tcp |
Files
memory/4860-132-0x0000000000000000-mapping.dmp
memory/4860-133-0x0000000010000000-0x000000001013B000-memory.dmp
memory/4860-134-0x0000000000B40000-0x0000000000C58000-memory.dmp
memory/4860-135-0x00000000005E0000-0x00000000005E4000-memory.dmp
memory/4860-136-0x00000000008D0000-0x00000000008D3000-memory.dmp
memory/4860-137-0x00000000008D0000-0x00000000008D3000-memory.dmp
memory/4860-138-0x00000000008D0000-0x00000000008D4000-memory.dmp
memory/4860-139-0x00000000008E0000-0x00000000008E3000-memory.dmp
memory/4860-140-0x0000000000900000-0x0000000000903000-memory.dmp
memory/4860-142-0x00000000008D0000-0x00000000008D3000-memory.dmp
memory/4860-141-0x00000000008D0000-0x00000000008D3000-memory.dmp
memory/4860-143-0x00000000008D0000-0x00000000008D4000-memory.dmp