5900cf2b1231dde4485330206719ccd8439b01c09043c1882e2f0936bfcb0b6b

Analysis

max time kernel
135s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
29-05-2023 04:45

Target

5900cf2b1231dde4485330206719ccd8439b01c09043c1882e2f0936bfcb0b6b.dll
Size

2.2MB
MD5

07bb17023f641f0eba5579f6cdb1f626
SHA1

d06c230a5f624e9e804800d19a16201cd998b7d2
SHA256

5900cf2b1231dde4485330206719ccd8439b01c09043c1882e2f0936bfcb0b6b
SHA512

c7aaffda434ca8b72324b20138493a6e477a15576a13fd6fcb399870f36713d2b9c87549d4e962385bd840bd94ed693a4aff10d1bafc774835a3bdf5ee601851
SSDEEP

49152:F1wSjpuawjQ7grvSgShfpsCRmzHj5cGjarXW:XfskS0hfe53aC

Score

7^/10

upx

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/1244-133-0x0000000010000000-0x00000000108BC000-memory.dmp	upx
behavioral2/memory/1244-134-0x0000000010000000-0x00000000108BC000-memory.dmp	upx
behavioral2/memory/1244-135-0x0000000010000000-0x00000000108BC000-memory.dmp	upx
behavioral2/memory/1244-150-0x0000000010000000-0x00000000108BC000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1244	rundll32.exe
1244	rundll32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1244	rundll32.exe
Token: SeDebugPrivilege	1244	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1244	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4400 wrote to memory of 1244	4400	rundll32.exe	85
PID 4400 wrote to memory of 1244	4400	rundll32.exe	85
PID 4400 wrote to memory of 1244	4400	rundll32.exe	85

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5900cf2b1231dde4485330206719ccd8439b01c09043c1882e2f0936bfcb0b6b.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4400
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\5900cf2b1231dde4485330206719ccd8439b01c09043c1882e2f0936bfcb0b6b.dll,#1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1244

memory/1244-133-0x0000000010000000-0x00000000108BC000-memory.dmp

Filesize
8.7MB

Download
memory/1244-134-0x0000000010000000-0x00000000108BC000-memory.dmp

Filesize
8.7MB

Download
memory/1244-135-0x0000000010000000-0x00000000108BC000-memory.dmp

Filesize
8.7MB

Download
memory/1244-150-0x0000000010000000-0x00000000108BC000-memory.dmp

Filesize
8.7MB

Download