aab63af0ca49386afcb580d7c52a0da4371f6e9a40d37847915e4bdac6f2a800

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 05:19

Target

0fd775763f31070adbefd821f41eb47a.dll
Size

64KB
MD5

0fd775763f31070adbefd821f41eb47a
SHA1

fbbadfa4b765d3b2080953e3869c1e9fe94f70ef
SHA256

aab63af0ca49386afcb580d7c52a0da4371f6e9a40d37847915e4bdac6f2a800
SHA512

43f37d72375e8798e663ed3243d6db3149924e951f2f14ca444309057edbc0210ced3d51a0cdbe8af239f48f92a66d1ce484b9586a8317e173c140a5db7e8294
SSDEEP

1536:qlSxqKJ5Oxm1z9qqqqqqqqqqqqqqqqqqqqqq9CdSSSSSSSSSSSSSSSSSh6asdCka:aS/t1zCTa8dQsu

Score

7^/10

upx

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/2172-0-0x00000000000A0000-0x00000000000AF000-memory.dmp	upx
behavioral1/memory/2172-3-0x00000000000B0000-0x00000000000BF000-memory.dmp	upx
behavioral1/memory/2172-7-0x00000000000B0000-0x00000000000BF000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2172	rundll32.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2172	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2172	2156	rundll32.exe	28
PID 2156 wrote to memory of 2172	2156	rundll32.exe	28
PID 2156 wrote to memory of 2172	2156	rundll32.exe	28
PID 2156 wrote to memory of 2172	2156	rundll32.exe	28
PID 2156 wrote to memory of 2172	2156	rundll32.exe	28
PID 2156 wrote to memory of 2172	2156	rundll32.exe	28
PID 2156 wrote to memory of 2172	2156	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0fd775763f31070adbefd821f41eb47a.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\0fd775763f31070adbefd821f41eb47a.dll,#1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2172

memory/2172-0-0x00000000000A0000-0x00000000000AF000-memory.dmp

Filesize
60KB

Download
memory/2172-1-0x00000000000A0000-0x00000000000AF000-memory.dmp

Filesize
60KB

Download
memory/2172-2-0x00000000000A0000-0x00000000000AF000-memory.dmp

Filesize
60KB

Download
memory/2172-3-0x00000000000B0000-0x00000000000BF000-memory.dmp

Filesize
60KB

Download
memory/2172-7-0x00000000000B0000-0x00000000000BF000-memory.dmp

Filesize
60KB

Download