0ad535866c95c0ab8ecacf4db038b845c016a8afb9a75389d3afe9118c9ac79b

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
15/01/2024, 02:43

Target

597f596ee0eaf199d49de8d2cded1c52.dll
Size

226KB
MD5

597f596ee0eaf199d49de8d2cded1c52
SHA1

7b09f48bd08d9619027501674feb0a605a14544e
SHA256

0ad535866c95c0ab8ecacf4db038b845c016a8afb9a75389d3afe9118c9ac79b
SHA512

9d3fbce1c2da4b0764043069762e82408eef521f439751a4cbb83bf23e61529b01d128f9b0a951df7d803c7bceeb7116ff897d11309e86eaf5b2c8ae241b809a
SSDEEP

3072:K3PCGOvg67u7VXgfDSfcxcECRgbWtcO20lSyLP1mD403rKmOckKylnD6Yd1:K34I67upQomy1lfLP1m807HdkKylDf

Score

8^/10

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	2524	rundll32.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\twisys.ini	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2524	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2800 wrote to memory of 2524	2800	rundll32.exe	28
PID 2800 wrote to memory of 2524	2800	rundll32.exe	28
PID 2800 wrote to memory of 2524	2800	rundll32.exe	28
PID 2800 wrote to memory of 2524	2800	rundll32.exe	28
PID 2800 wrote to memory of 2524	2800	rundll32.exe	28
PID 2800 wrote to memory of 2524	2800	rundll32.exe	28
PID 2800 wrote to memory of 2524	2800	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\597f596ee0eaf199d49de8d2cded1c52.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2800
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\597f596ee0eaf199d49de8d2cded1c52.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2524

C:\Windows\twisys.ini

Filesize
15B

MD5
f76b79ad78d2c7c08e33c53798efd7ab

SHA1
40e3ed279bb7e37b7e37c62ad9b7183f81234ca2

SHA256
3c9fee212611cf3dde2fcc18e09e3811a37c6bc2eb4b542d1006f96601dfa04c

SHA512
7aebfa69e2b70d647f64ed912ca6d5ae881d4df6679cac303c67a69abce98f4ef5d185b0c07efbe5fb67ee9453311f58a3ac50272889f59ba73e3c45ba667647

Download Submit
memory/2524-0-0x00000000005F0000-0x000000000062E000-memory.dmp

Filesize
248KB

Download