Analysis
-
max time kernel
55s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
16/03/2023, 14:41
Static task
static1
Behavioral task
behavioral1
Sample
2700000.dll
Resource
win7-20230220-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
2700000.dll
Resource
win10v2004-20230220-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
2700000.dll
-
Size
432KB
-
MD5
48bfb197c90d573c36b9e663e956e20a
-
SHA1
5156a2afea820702ceffb01f30206ce8637b638c
-
SHA256
ab53894c820ba5717a3b43d053fee8dbec2be37f2877b022135a1b097a7a24ad
-
SHA512
4406f05f65e06128deaffbf55d9e5d80bd55effa94548007ead9998e026f78e296c6324980ebf9323457adc7aebc2e1a226c535b651b32c6f56f58384e621ee5
-
SSDEEP
12288:MI7ndMfOx7MnnAZWADGK5einHoXnp8YR:DeOZMnAzGK5eiOn+YR
Score
3/10
Malware Config
Signatures
-
Program crash 3 IoCs
pid pid_target Process procid_target 1108 1216 WerFault.exe 27 2016 1880 WerFault.exe 36 1820 784 WerFault.exe 39 -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: 33 640 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 640 AUDIODG.EXE Token: 33 640 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 640 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 1716 wrote to memory of 1216 1716 rundll32.exe 27 PID 1716 wrote to memory of 1216 1716 rundll32.exe 27 PID 1716 wrote to memory of 1216 1716 rundll32.exe 27 PID 1716 wrote to memory of 1216 1716 rundll32.exe 27 PID 1716 wrote to memory of 1216 1716 rundll32.exe 27 PID 1716 wrote to memory of 1216 1716 rundll32.exe 27 PID 1716 wrote to memory of 1216 1716 rundll32.exe 27 PID 1216 wrote to memory of 1108 1216 rundll32.exe 28 PID 1216 wrote to memory of 1108 1216 rundll32.exe 28 PID 1216 wrote to memory of 1108 1216 rundll32.exe 28 PID 1216 wrote to memory of 1108 1216 rundll32.exe 28 PID 1628 wrote to memory of 2040 1628 cmd.exe 35 PID 1628 wrote to memory of 2040 1628 cmd.exe 35 PID 1628 wrote to memory of 2040 1628 cmd.exe 35 PID 2040 wrote to memory of 1880 2040 rundll32.exe 36 PID 2040 wrote to memory of 1880 2040 rundll32.exe 36 PID 2040 wrote to memory of 1880 2040 rundll32.exe 36 PID 2040 wrote to memory of 1880 2040 rundll32.exe 36 PID 2040 wrote to memory of 1880 2040 rundll32.exe 36 PID 2040 wrote to memory of 1880 2040 rundll32.exe 36 PID 2040 wrote to memory of 1880 2040 rundll32.exe 36 PID 1880 wrote to memory of 2016 1880 rundll32.exe 37 PID 1880 wrote to memory of 2016 1880 rundll32.exe 37 PID 1880 wrote to memory of 2016 1880 rundll32.exe 37 PID 1880 wrote to memory of 2016 1880 rundll32.exe 37 PID 1628 wrote to memory of 1980 1628 cmd.exe 38 PID 1628 wrote to memory of 1980 1628 cmd.exe 38 PID 1628 wrote to memory of 1980 1628 cmd.exe 38 PID 1980 wrote to memory of 784 1980 rundll32.exe 39 PID 1980 wrote to memory of 784 1980 rundll32.exe 39 PID 1980 wrote to memory of 784 1980 rundll32.exe 39 PID 1980 wrote to memory of 784 1980 rundll32.exe 39 PID 1980 wrote to memory of 784 1980 rundll32.exe 39 PID 1980 wrote to memory of 784 1980 rundll32.exe 39 PID 1980 wrote to memory of 784 1980 rundll32.exe 39 PID 784 wrote to memory of 1820 784 rundll32.exe 40 PID 784 wrote to memory of 1820 784 rundll32.exe 40 PID 784 wrote to memory of 1820 784 rundll32.exe 40 PID 784 wrote to memory of 1820 784 rundll32.exe 40
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2700000.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2700000.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 2243⤵
- Program crash
PID:1108
-
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:472
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x1f01⤵
- Suspicious use of AdjustPrivilegeToken
PID:640
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\system32\rundll32.exerundll32 2700000.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\rundll32.exerundll32 2700000.dll,#13⤵
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 2244⤵
- Program crash
PID:2016
-
-
-
-
C:\Windows\system32\rundll32.exerundll32 2700000.dll,Initialize2⤵
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\rundll32.exerundll32 2700000.dll,Initialize3⤵
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 2244⤵
- Program crash
PID:1820
-
-
-