65cadd966b0d98d75900b115402b57475e76ca70c762050152866d7350fb8601

Analysis

max time kernel
144s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
13-03-2023 05:12

Target

zmods_twitch.dll
Size

1.2MB
MD5

3b1a6a29073de849cb04b3d7b815ea73
SHA1

d840caa9e8969c8a326073132a1d45079da15390
SHA256

65cadd966b0d98d75900b115402b57475e76ca70c762050152866d7350fb8601
SHA512

0df24c53f2bb72246acd090f55dae1ad71cfe3415f87d6f6ef935aba54a0f3d1ef0e0c755a4a0daf3a863bae5071aba87b11f6df057836c5f81135324d25a76e
SSDEEP

12288:R7V8yqrCfPsloP2JaA88skvHclnu7iFLr3kuZmaFuk8fPlfTagS2ZjXhySKYih14:isW2Lr3kukr3Plfi4jXYbYBtSQI9

Score

5^/10

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
716	3584	WerFault.exe	85

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	mspaint.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
992	mspaint.exe
992	mspaint.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2324	OpenWith.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
992	mspaint.exe
2324	OpenWith.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4692 wrote to memory of 3584	4692	rundll32.exe	85
PID 4692 wrote to memory of 3584	4692	rundll32.exe	85
PID 4692 wrote to memory of 3584	4692	rundll32.exe	85

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\zmods_twitch.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4692
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\zmods_twitch.dll,#1
  2⤵
  PID:3584
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 660
    3⤵
    - Program crash
    PID:716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3584 -ip 3584
1⤵
PID:3564

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:5060

memory/5060-133-0x00000238B3C60000-0x00000238B3C70000-memory.dmp

Filesize
64KB

Download
memory/5060-137-0x00000238B3CA0000-0x00000238B3CB0000-memory.dmp

Filesize
64KB

Download
memory/5060-144-0x00000238BBF70000-0x00000238BBF71000-memory.dmp

Filesize
4KB

Download
memory/5060-146-0x00000238BBFF0000-0x00000238BBFF1000-memory.dmp

Filesize
4KB

Download
memory/5060-148-0x00000238BBFF0000-0x00000238BBFF1000-memory.dmp

Filesize
4KB

Download
memory/5060-149-0x00000238BC080000-0x00000238BC081000-memory.dmp

Filesize
4KB

Download
memory/5060-150-0x00000238BC080000-0x00000238BC081000-memory.dmp

Filesize
4KB

Download
memory/5060-151-0x00000238BC090000-0x00000238BC091000-memory.dmp

Filesize
4KB

Download
memory/5060-152-0x00000238BC090000-0x00000238BC091000-memory.dmp

Filesize
4KB

Download