697f8971fef82519003b974ebd3fe162396846b2557f5879d36b8f4a7131dfbd

Analysis

max time kernel
135s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
14/06/2023, 13:32

Target

dcomcnfg.exe
Size

8KB
MD5

7f3d01a6f054e0330bc798739aef0297
SHA1

bb9e1c933707d97b70bf8bd953aae327ad3444a7
SHA256

697f8971fef82519003b974ebd3fe162396846b2557f5879d36b8f4a7131dfbd
SHA512

ccd59f1921e12a812f0010002051916d69b0bf3798170651440b6685a0b7aed69da27548f2e5f4065fb4a74a986dffafdf785532ed29379d31727b9948814007
SSDEEP

96:nSt3Fxv37bV+O3BcKcss+ViUZCEV/kX2jF4CUxJEmVAVKWLDP2LVD7KkBBEWGcEr:Slf3woigsyx9rUxJEmVMKWSfsWGcEWN

Score

5^/10

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\comexp.msc	mmc.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{882A7D36-6F6E-46CE-984A-8822BEE6257E}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{882A7D36-6F6E-46CE-984A-8822BEE6257E}.crmlog	dllhost.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3772	mmc.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeSecurityPrivilege	3772	mmc.exe
Token: 33	3772	mmc.exe
Token: SeIncBasePriorityPrivilege	3772	mmc.exe
Token: 33	3772	mmc.exe
Token: SeIncBasePriorityPrivilege	3772	mmc.exe
Token: 33	3772	mmc.exe
Token: SeIncBasePriorityPrivilege	3772	mmc.exe
Token: 33	3772	mmc.exe
Token: SeIncBasePriorityPrivilege	3772	mmc.exe
Token: 33	3772	mmc.exe
Token: SeIncBasePriorityPrivilege	3772	mmc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3772	mmc.exe
3772	mmc.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4980 wrote to memory of 3772	4980	dcomcnfg.exe	83
PID 4980 wrote to memory of 3772	4980	dcomcnfg.exe	83

C:\Users\Admin\AppData\Local\Temp\dcomcnfg.exe
"C:\Users\Admin\AppData\Local\Temp\dcomcnfg.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4980
- C:\Windows\system32\mmc.exe
  C:\Windows\system32\mmc.exe C:\Windows\system32\comexp.msc
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3772

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Drops file in Windows directory
PID:552

memory/3772-133-0x000000001DB00000-0x000000001DB10000-memory.dmp

Filesize
64KB

Download
memory/3772-134-0x000000001DB00000-0x000000001DB10000-memory.dmp

Filesize
64KB

Download
memory/3772-135-0x000000001DB00000-0x000000001DB10000-memory.dmp

Filesize
64KB

Download
memory/3772-136-0x000000001DB00000-0x000000001DB10000-memory.dmp

Filesize
64KB

Download
memory/3772-137-0x000000001DB00000-0x000000001DB10000-memory.dmp

Filesize
64KB

Download
memory/3772-138-0x00007FF45A930000-0x00007FF45A940000-memory.dmp

Filesize
64KB

Download
memory/3772-139-0x000000001DB00000-0x000000001DB10000-memory.dmp

Filesize
64KB

Download
memory/3772-140-0x000000001DB00000-0x000000001DB10000-memory.dmp

Filesize
64KB

Download
memory/3772-141-0x000000001DB00000-0x000000001DB10000-memory.dmp

Filesize
64KB

Download
memory/3772-142-0x000000001DB00000-0x000000001DB10000-memory.dmp

Filesize
64KB

Download
memory/3772-143-0x000000001DB00000-0x000000001DB10000-memory.dmp

Filesize
64KB

Download
memory/3772-144-0x00007FF45A930000-0x00007FF45A940000-memory.dmp

Filesize
64KB

Download