Malware Analysis Report

2025-05-05 23:47

Sample ID 230209-yqlv1sah97
Target suspicious.dll
SHA256 a5fc814ab0a22c9684cb7587ffed6a7188e0a061ef4a268b4997e38a5f86aabd
Tags
score
3/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
3/10

SHA256

a5fc814ab0a22c9684cb7587ffed6a7188e0a061ef4a268b4997e38a5f86aabd

Threat Level: Likely benign

The file suspicious.dll was found to be: Likely benign.

Malicious Activity Summary


Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-02-09 19:59

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-09 19:59

Reported

2023-02-09 20:02

Platform

win7-20220812-en

Max time kernel

151s

Max time network

46s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\suspicious.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\suspicious.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\suspicious.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 228

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x520

Network

N/A

Files

memory/1176-54-0x0000000000000000-mapping.dmp

memory/1176-55-0x0000000075091000-0x0000000075093000-memory.dmp

memory/1528-56-0x0000000000000000-mapping.dmp

memory/1052-57-0x000007FEFB751000-0x000007FEFB753000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-02-09 19:59

Reported

2023-02-09 20:02

Platform

win10v2004-20220812-en

Max time kernel

131s

Max time network

169s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\suspicious.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2220 wrote to memory of 4768 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2220 wrote to memory of 4768 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2220 wrote to memory of 4768 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\suspicious.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\suspicious.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4768 -ip 4768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 600

Network

Country Destination Domain Proto
US 93.184.221.240:80 tcp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 52.182.143.210:443 tcp
NL 20.190.160.17:443 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 0.e.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa udp
NL 40.126.32.68:443 tcp

Files

memory/4768-132-0x0000000000000000-mapping.dmp