fbd349b3d8d4545176bb79df2d77fe95e3298007390c3291951ffe7ecfe4ac37

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01/01/2024, 19:53

Target

3dbbcf56ed2fa56a3c4b2672f4ec6234.dll
Size

13KB
MD5

3dbbcf56ed2fa56a3c4b2672f4ec6234
SHA1

6deae325940132fc156ecb949db2025c4866f41f
SHA256

fbd349b3d8d4545176bb79df2d77fe95e3298007390c3291951ffe7ecfe4ac37
SHA512

39cd845344ff3f51a9cda8065e47cdf5442b38ef222dc58060dbba91cfcae7f1160c329ac5cf4fbac7e96f4ceb9f1efa6f28a8cb432576dbf3b04c01819a913f
SSDEEP

384:BdmlNrdB31m8OkVpYbDUSTXZDw5g6/cBB2CbLCGEPc/:BMNr1pYbDUSTxwRsB1qA

Score

7^/10

upx

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/1756-0-0x0000000010000000-0x000000001000E000-memory.dmp	upx
behavioral1/memory/1756-1-0x0000000010000000-0x000000001000E000-memory.dmp	upx

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
468	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1756	rundll32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1756	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 1756	2312	rundll32.exe	28
PID 2312 wrote to memory of 1756	2312	rundll32.exe	28
PID 2312 wrote to memory of 1756	2312	rundll32.exe	28
PID 2312 wrote to memory of 1756	2312	rundll32.exe	28
PID 2312 wrote to memory of 1756	2312	rundll32.exe	28
PID 2312 wrote to memory of 1756	2312	rundll32.exe	28
PID 2312 wrote to memory of 1756	2312	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3dbbcf56ed2fa56a3c4b2672f4ec6234.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\3dbbcf56ed2fa56a3c4b2672f4ec6234.dll,#1
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1756

memory/1756-0-0x0000000010000000-0x000000001000E000-memory.dmp

Filesize
56KB

Download
memory/1756-1-0x0000000010000000-0x000000001000E000-memory.dmp

Filesize
56KB

Download