Analysis
-
max time kernel
30s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-es -
resource tags
arch:x64arch:x86image:win7-20230220-eslocale:es-esos:windows7-x64systemwindows -
submitted
23-05-2023 15:22
Static task
static1
1 signatures
General
-
Target
5942a02bc0a0e32875bc71e9a678b065d5f0e144938467a3590ba884884153d3.dll
-
Size
68KB
-
MD5
0e9a211f76500fcb3f47f4ea3c94b1c5
-
SHA1
f92f1d121642844b1dab7eee204aa83a5ee0a1e2
-
SHA256
5942a02bc0a0e32875bc71e9a678b065d5f0e144938467a3590ba884884153d3
-
SHA512
15ccb1a92f48bcbd5b9043b9dc275170030a73ad5ffc9e55550a32cf3f2ac3379dc65b95851ec9c5bd643093b28f37dbb41fe2319af374a725e83a7a1870d76f
-
SSDEEP
1536:BlYfWdaqTjOnvQ6xSqb1L/8TOAEvvbkzLA/vZd/:Hyaj6xS01L/IOAU/vZ
Malware Config
Signatures
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
rundll32.exedescription pid process Token: SeImpersonatePrivilege 1976 rundll32.exe Token: SeTcbPrivilege 1976 rundll32.exe Token: SeChangeNotifyPrivilege 1976 rundll32.exe Token: SeCreateTokenPrivilege 1976 rundll32.exe Token: SeBackupPrivilege 1976 rundll32.exe Token: SeRestorePrivilege 1976 rundll32.exe Token: SeIncreaseQuotaPrivilege 1976 rundll32.exe Token: SeAssignPrimaryTokenPrivilege 1976 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 936 wrote to memory of 1976 936 rundll32.exe rundll32.exe PID 936 wrote to memory of 1976 936 rundll32.exe rundll32.exe PID 936 wrote to memory of 1976 936 rundll32.exe rundll32.exe PID 936 wrote to memory of 1976 936 rundll32.exe rundll32.exe PID 936 wrote to memory of 1976 936 rundll32.exe rundll32.exe PID 936 wrote to memory of 1976 936 rundll32.exe rundll32.exe PID 936 wrote to memory of 1976 936 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5942a02bc0a0e32875bc71e9a678b065d5f0e144938467a3590ba884884153d3.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5942a02bc0a0e32875bc71e9a678b065d5f0e144938467a3590ba884884153d3.dll,#12⤵
- Suspicious use of AdjustPrivilegeToken