aa822a37848e5b96a0b81498b5e5fb777ebdbd108803ef28f4204ddace2c8bc9

Analysis

max time kernel
135s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
11-04-2023 20:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa822a37848e5b96a0b81498b5e5fb777ebdbd108803ef28f4204ddace2c8bc9.dll
Size

746KB
MD5

3465b737883e4ef3032aaa8366cca613
SHA1

e310428d3c2eda08008af0269436da85dc898d29
SHA256

aa822a37848e5b96a0b81498b5e5fb777ebdbd108803ef28f4204ddace2c8bc9
SHA512

12693be45e26b884ed3c903c0aa7cc1a88dc75a21bd86a14bf141404c6dba8be1996f35887eda26cd3aec86ea8a049e0ea4adff9f437042ed6717e71d3d697d3
SSDEEP

6144:WGKaoMs7Fu6D2BmkpUG6zH02MOS2SROTh2Oao9isJ0xqag18jq0Xw7oJZ52ko7KJ:W8s7c6D2BHS7MGt2NQVb1FoJZ5/Er8j

Score

1^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	428	wmic.exe
Token: SeSecurityPrivilege	428	wmic.exe
Token: SeTakeOwnershipPrivilege	428	wmic.exe
Token: SeLoadDriverPrivilege	428	wmic.exe
Token: SeSystemProfilePrivilege	428	wmic.exe
Token: SeSystemtimePrivilege	428	wmic.exe
Token: SeProfSingleProcessPrivilege	428	wmic.exe
Token: SeIncBasePriorityPrivilege	428	wmic.exe
Token: SeCreatePagefilePrivilege	428	wmic.exe
Token: SeBackupPrivilege	428	wmic.exe
Token: SeRestorePrivilege	428	wmic.exe
Token: SeShutdownPrivilege	428	wmic.exe
Token: SeDebugPrivilege	428	wmic.exe
Token: SeSystemEnvironmentPrivilege	428	wmic.exe
Token: SeRemoteShutdownPrivilege	428	wmic.exe
Token: SeUndockPrivilege	428	wmic.exe
Token: SeManageVolumePrivilege	428	wmic.exe
Token: 33	428	wmic.exe
Token: 34	428	wmic.exe
Token: 35	428	wmic.exe
Token: 36	428	wmic.exe
Token: SeIncreaseQuotaPrivilege	428	wmic.exe
Token: SeSecurityPrivilege	428	wmic.exe
Token: SeTakeOwnershipPrivilege	428	wmic.exe
Token: SeLoadDriverPrivilege	428	wmic.exe
Token: SeSystemProfilePrivilege	428	wmic.exe
Token: SeSystemtimePrivilege	428	wmic.exe
Token: SeProfSingleProcessPrivilege	428	wmic.exe
Token: SeIncBasePriorityPrivilege	428	wmic.exe
Token: SeCreatePagefilePrivilege	428	wmic.exe
Token: SeBackupPrivilege	428	wmic.exe
Token: SeRestorePrivilege	428	wmic.exe
Token: SeShutdownPrivilege	428	wmic.exe
Token: SeDebugPrivilege	428	wmic.exe
Token: SeSystemEnvironmentPrivilege	428	wmic.exe
Token: SeRemoteShutdownPrivilege	428	wmic.exe
Token: SeUndockPrivilege	428	wmic.exe
Token: SeManageVolumePrivilege	428	wmic.exe
Token: 33	428	wmic.exe
Token: 34	428	wmic.exe
Token: 35	428	wmic.exe
Token: 36	428	wmic.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3680	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4956 wrote to memory of 3680	4956	rundll32.exe	85
PID 4956 wrote to memory of 3680	4956	rundll32.exe	85
PID 4956 wrote to memory of 3680	4956	rundll32.exe	85
PID 3680 wrote to memory of 428	3680	rundll32.exe	86
PID 3680 wrote to memory of 428	3680	rundll32.exe	86
PID 3680 wrote to memory of 428	3680	rundll32.exe	86

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\aa822a37848e5b96a0b81498b5e5fb777ebdbd108803ef28f4204ddace2c8bc9.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4956
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\aa822a37848e5b96a0b81498b5e5fb777ebdbd108803ef28f4204ddace2c8bc9.dll,#1
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3680
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic useraccount where name="Admin" get sid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:428

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads