c042ad2947caf4449295a51f9d640d722b5a6ec6957523ebf68cddb87ef3545c

Analysis

max time kernel
146s
max time network
152s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
18-05-2023 21:13

Target

gamft.dll
Size

378KB
MD5

82d4025b84cf569ec82d21918d641540
SHA1

62f5a16d1ef20064dd78f5d934c84d474aca8bbe
SHA256

c042ad2947caf4449295a51f9d640d722b5a6ec6957523ebf68cddb87ef3545c
SHA512

4b310bc91a10b02b659c6d08b42578b85e42697cbfd41823d84443b559ad6efb46952ffda9ac322933ac0cc66d13ce9698e824084e53093d05cfe71fd6d59df5
SSDEEP

6144:jstnb/4misK1vTrwKrdumJ9QbFQUU9YNj/GW9wz29nH9laVgm1GChaIdVNoxB6MT:A5/jisK1vQKrduY+FQ39YNj/H2QnW3w1

Score

8^/10

Blocklisted process makes network request 20 IoCs

Processes:

rundll32.exe

Drops file in Windows directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File created C:\Windows\Tasks\NvTmRep_CrashReport3_{B2FE1952-0186-36D3-AAHC-AB80CA35AH5B6}.job rundll32.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

rundll32.exe

pid process

2004 rundll32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rundll32.exe

description pid process

Token: SeDebugPrivilege 2004 rundll32.exe
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

description	ioc	process
File created	C:\Windows\Tasks\NvTmRep_CrashReport3_{B2FE1952-0186-36D3-AAHC-AB80CA35AH5B6}.job	rundll32.exe

pid	process
2004	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	2004	rundll32.exe

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

Lateral Movement

Collection

Command and Control

Exfiltration

Impact