Analysis
-
max time kernel
141s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
07/10/2023, 08:24
Static task
static1
Behavioral task
behavioral1
Sample
0ce061279f9044198448f1cbad22cff779d9a656e2011423ed5895a7b7d6e698.dll
Resource
win7-20230831-en
windows7-x64
Behavioral task
behavioral2
Sample
0ce061279f9044198448f1cbad22cff779d9a656e2011423ed5895a7b7d6e698.dll
Resource
win10v2004-20230915-en
windows10-2004-x64
General
-
Target
0ce061279f9044198448f1cbad22cff779d9a656e2011423ed5895a7b7d6e698.dll
-
Size
2.2MB
-
MD5
8c4093ee562999250be2a43f779e3891
-
SHA1
6a3d9e746d816d4a6783e3e07762d3326e5f20d6
-
SHA256
0ce061279f9044198448f1cbad22cff779d9a656e2011423ed5895a7b7d6e698
-
SHA512
ba09f853794288046dfc4303744d6719fd4ec3a72251643768e8169fa61b49ff10fa98d385c5006d500eaffecf13228de48011b159fa11737f0d10e4c6a20cf5
-
SSDEEP
24576:VwsrMlIuyTmeRnY0EHDmO8Nk0/IPH+dzi1RdiU620z55PVI7gxzS5wjdekJ5lrih:VLrrWPWz7U624rDSw/wh
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: 1 1864 rundll32.exe Token: SeCreateTokenPrivilege 1864 rundll32.exe Token: SeAssignPrimaryTokenPrivilege 1864 rundll32.exe Token: SeLockMemoryPrivilege 1864 rundll32.exe Token: SeIncreaseQuotaPrivilege 1864 rundll32.exe Token: SeMachineAccountPrivilege 1864 rundll32.exe Token: SeTcbPrivilege 1864 rundll32.exe Token: SeSecurityPrivilege 1864 rundll32.exe Token: SeTakeOwnershipPrivilege 1864 rundll32.exe Token: SeLoadDriverPrivilege 1864 rundll32.exe Token: SeSystemProfilePrivilege 1864 rundll32.exe Token: SeSystemtimePrivilege 1864 rundll32.exe Token: SeProfSingleProcessPrivilege 1864 rundll32.exe Token: SeIncBasePriorityPrivilege 1864 rundll32.exe Token: SeCreatePagefilePrivilege 1864 rundll32.exe Token: SeCreatePermanentPrivilege 1864 rundll32.exe Token: SeBackupPrivilege 1864 rundll32.exe Token: SeRestorePrivilege 1864 rundll32.exe Token: SeShutdownPrivilege 1864 rundll32.exe Token: SeDebugPrivilege 1864 rundll32.exe Token: SeAuditPrivilege 1864 rundll32.exe Token: SeSystemEnvironmentPrivilege 1864 rundll32.exe Token: SeChangeNotifyPrivilege 1864 rundll32.exe Token: SeRemoteShutdownPrivilege 1864 rundll32.exe Token: SeUndockPrivilege 1864 rundll32.exe Token: SeSyncAgentPrivilege 1864 rundll32.exe Token: SeEnableDelegationPrivilege 1864 rundll32.exe Token: SeManageVolumePrivilege 1864 rundll32.exe Token: SeImpersonatePrivilege 1864 rundll32.exe Token: SeCreateGlobalPrivilege 1864 rundll32.exe Token: 31 1864 rundll32.exe Token: 32 1864 rundll32.exe Token: 33 1864 rundll32.exe Token: 34 1864 rundll32.exe Token: 35 1864 rundll32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1864 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4496 wrote to memory of 1864 4496 rundll32.exe 85 PID 4496 wrote to memory of 1864 4496 rundll32.exe 85 PID 4496 wrote to memory of 1864 4496 rundll32.exe 85
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0ce061279f9044198448f1cbad22cff779d9a656e2011423ed5895a7b7d6e698.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0ce061279f9044198448f1cbad22cff779d9a656e2011423ed5895a7b7d6e698.dll,#12⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1864
-