Analysis
-
max time kernel
120s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
07/10/2023, 08:24
Static task
static1
Behavioral task
behavioral1
Sample
0ce061279f9044198448f1cbad22cff779d9a656e2011423ed5895a7b7d6e698.dll
Resource
win7-20230831-en
windows7-x64
Behavioral task
behavioral2
Sample
0ce061279f9044198448f1cbad22cff779d9a656e2011423ed5895a7b7d6e698.dll
Resource
win10v2004-20230915-en
windows10-2004-x64
General
-
Target
0ce061279f9044198448f1cbad22cff779d9a656e2011423ed5895a7b7d6e698.dll
-
Size
2.2MB
-
MD5
8c4093ee562999250be2a43f779e3891
-
SHA1
6a3d9e746d816d4a6783e3e07762d3326e5f20d6
-
SHA256
0ce061279f9044198448f1cbad22cff779d9a656e2011423ed5895a7b7d6e698
-
SHA512
ba09f853794288046dfc4303744d6719fd4ec3a72251643768e8169fa61b49ff10fa98d385c5006d500eaffecf13228de48011b159fa11737f0d10e4c6a20cf5
-
SSDEEP
24576:VwsrMlIuyTmeRnY0EHDmO8Nk0/IPH+dzi1RdiU620z55PVI7gxzS5wjdekJ5lrih:VLrrWPWz7U624rDSw/wh
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: 1 2980 rundll32.exe Token: SeCreateTokenPrivilege 2980 rundll32.exe Token: SeAssignPrimaryTokenPrivilege 2980 rundll32.exe Token: SeLockMemoryPrivilege 2980 rundll32.exe Token: SeIncreaseQuotaPrivilege 2980 rundll32.exe Token: SeMachineAccountPrivilege 2980 rundll32.exe Token: SeTcbPrivilege 2980 rundll32.exe Token: SeSecurityPrivilege 2980 rundll32.exe Token: SeTakeOwnershipPrivilege 2980 rundll32.exe Token: SeLoadDriverPrivilege 2980 rundll32.exe Token: SeSystemProfilePrivilege 2980 rundll32.exe Token: SeSystemtimePrivilege 2980 rundll32.exe Token: SeProfSingleProcessPrivilege 2980 rundll32.exe Token: SeIncBasePriorityPrivilege 2980 rundll32.exe Token: SeCreatePagefilePrivilege 2980 rundll32.exe Token: SeCreatePermanentPrivilege 2980 rundll32.exe Token: SeBackupPrivilege 2980 rundll32.exe Token: SeRestorePrivilege 2980 rundll32.exe Token: SeShutdownPrivilege 2980 rundll32.exe Token: SeDebugPrivilege 2980 rundll32.exe Token: SeAuditPrivilege 2980 rundll32.exe Token: SeSystemEnvironmentPrivilege 2980 rundll32.exe Token: SeChangeNotifyPrivilege 2980 rundll32.exe Token: SeRemoteShutdownPrivilege 2980 rundll32.exe Token: SeUndockPrivilege 2980 rundll32.exe Token: SeSyncAgentPrivilege 2980 rundll32.exe Token: SeEnableDelegationPrivilege 2980 rundll32.exe Token: SeManageVolumePrivilege 2980 rundll32.exe Token: SeImpersonatePrivilege 2980 rundll32.exe Token: SeCreateGlobalPrivilege 2980 rundll32.exe Token: 31 2980 rundll32.exe Token: 32 2980 rundll32.exe Token: 33 2980 rundll32.exe Token: 34 2980 rundll32.exe Token: 35 2980 rundll32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2980 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1096 wrote to memory of 2980 1096 rundll32.exe 28 PID 1096 wrote to memory of 2980 1096 rundll32.exe 28 PID 1096 wrote to memory of 2980 1096 rundll32.exe 28 PID 1096 wrote to memory of 2980 1096 rundll32.exe 28 PID 1096 wrote to memory of 2980 1096 rundll32.exe 28 PID 1096 wrote to memory of 2980 1096 rundll32.exe 28 PID 1096 wrote to memory of 2980 1096 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0ce061279f9044198448f1cbad22cff779d9a656e2011423ed5895a7b7d6e698.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0ce061279f9044198448f1cbad22cff779d9a656e2011423ed5895a7b7d6e698.dll,#12⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2980
-