6c611841f8150bff3266e0421a14b57c28c8767974adbd7e056db54162184934 | Triage

Analysis

max time kernel
126s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
31/08/2023, 20:47

Sharing

Report Analysis Logs

General

Target

tpkreport.dll
Size

240KB
MD5

ac20e6ab1f2ec5c6d40a11e686c24c37
SHA1

f43fa69f8c7e5c2a2d47282088f56cfce3c29982
SHA256

edb09e1c3d9d8e00f19c161168dcf2f1bc0d23ffb3317041aea0f4358a37b75e
SHA512

8c12c8a8f7dd180fadc14d2f4ae7cfa1c3562a22d27138bdff48e1443a1ca2d909c70242a6e111025cad2d74d6b995f2edb646aa06c9734204099039d06754cb
SSDEEP

6144:Evb9FnnmfP3y6CMhz3IknTBlS4aC57qIrOsGC:0JFnmfPi6CMp4GTXS4aqCC

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2772	rundll32.exe
2772	rundll32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeBackupPrivilege	2772	rundll32.exe
Token: SeRestorePrivilege	2772	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4856 wrote to memory of 2772	4856	rundll32.exe	82
PID 4856 wrote to memory of 2772	4856	rundll32.exe	82
PID 4856 wrote to memory of 2772	4856	rundll32.exe	82

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\tpkreport.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\tpkreport.dll,#1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2772

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads