900493492456b03644ea348fb76e279ad8ad6fbf9ab31a01f413ca63a4d71835

Analysis

max time kernel
126s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2023 11:52

Target

e3a16de94ab18afae71801609f7a065a79841a2359d1faba523d923de3746ecd.dll
Size

3.3MB
MD5

f940c54cfa89b7012c8ad88be6aba5d1
SHA1

267857bfb4a0dec48964de4a112d20ed6816d48a
SHA256

e3a16de94ab18afae71801609f7a065a79841a2359d1faba523d923de3746ecd
SHA512

be73b6c1252344032f774f582aa7fcabf5b04beed865aad5170e61565ff2814dbcdd8a630ce4fd260e52436ae970e473c1304a0f54ec6fd84d099893af9d9ab3
SSDEEP

49152:pB3EIIvjFNVrb/TLvO90d7HjmAFd4A64nsfJ2D0D1sVYgLiL9Yy42qwCggO:GNJp2XCO

Score

1^/10

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1956	whoami.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 2544	1988	rundll32.exe	82
PID 1988 wrote to memory of 2544	1988	rundll32.exe	82
PID 2544 wrote to memory of 1956	2544	cmd.exe	83
PID 2544 wrote to memory of 1956	2544	cmd.exe	83

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e3a16de94ab18afae71801609f7a065a79841a2359d1faba523d923de3746ecd.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Windows\system32\cmd.exe
  cmd.exe /c whoami
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Windows\system32\whoami.exe
    whoami
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1956

memory/1988-0-0x0000000055C80000-0x0000000056010000-memory.dmp

Filesize
3.6MB

Download