Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
10/01/2024, 14:36
Behavioral task
behavioral1
Sample
50d300cc4deb2ab91ac2c2fafbc7fae3.dll
Resource
win7-20231215-en
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
50d300cc4deb2ab91ac2c2fafbc7fae3.dll
Resource
win10v2004-20231222-en
5 signatures
150 seconds
General
-
Target
50d300cc4deb2ab91ac2c2fafbc7fae3.dll
-
Size
864KB
-
MD5
50d300cc4deb2ab91ac2c2fafbc7fae3
-
SHA1
af7903cf8855c75edd2c1995bf4e0ffbb08b712c
-
SHA256
e582ed5437c3b4f75803a43486f194fd2c7ae5190567e731c364aafa6cb37ef2
-
SHA512
3161b221edc7f90035db5ac762d30c368e838d9c9ad1dbb6c1cccfc16d140e5e5226fa9d79011b5d1bb80aa86b31b8cdc17d68d93260a66de5ce37f7fa6c5979
-
SSDEEP
24576:zZ/yh5MRglm6BgRWDd/tcZAYS3unvwmYzLf3M:zxe5MRr6Cq1cnvlSL
Score
7/10
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/2120-0-0x0000000010000000-0x000000001022F000-memory.dmp vmprotect behavioral2/memory/2120-1-0x0000000010000000-0x000000001022F000-memory.dmp vmprotect -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2120 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2120 rundll32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2120 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1696 wrote to memory of 2120 1696 rundll32.exe 14 PID 1696 wrote to memory of 2120 1696 rundll32.exe 14 PID 1696 wrote to memory of 2120 1696 rundll32.exe 14
Processes
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\50d300cc4deb2ab91ac2c2fafbc7fae3.dll,#11⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2120
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\50d300cc4deb2ab91ac2c2fafbc7fae3.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1696