Analysis
-
max time kernel
140s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
16/01/2024, 10:27
Behavioral task
behavioral1
Sample
5fa9d20296121bb0d6dfbf9994683f43.dll
Resource
win7-20231215-en
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
5fa9d20296121bb0d6dfbf9994683f43.dll
Resource
win10v2004-20231215-en
3 signatures
150 seconds
General
-
Target
5fa9d20296121bb0d6dfbf9994683f43.dll
-
Size
8KB
-
MD5
5fa9d20296121bb0d6dfbf9994683f43
-
SHA1
614cda8b624a35e636b6b28dc42206511725e81b
-
SHA256
9785c012a9d8f1f7682276ba3d8175ed4a613f1cb279370cea773b45d68a95cb
-
SHA512
26d6d5dee54d24a818d41f3053bcf5b64b943f4c6adb1f4f1cb08032523e2095db5b5c0f5499bbb86640dfe66a4b5b2c2169f5ef7ecf0f1c99769aa7c607fbf9
-
SSDEEP
48:id+P3zSSxPIux486DhFhklWqJ1ATDhZoEuYxf:QvSx335JOLoE
Score
5/10
Malware Config
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4572 set thread context of 5064 4572 rundll32.exe 87 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2268 whoami.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1268 wrote to memory of 4572 1268 rundll32.exe 86 PID 1268 wrote to memory of 4572 1268 rundll32.exe 86 PID 1268 wrote to memory of 4572 1268 rundll32.exe 86 PID 4572 wrote to memory of 5064 4572 rundll32.exe 87 PID 4572 wrote to memory of 5064 4572 rundll32.exe 87 PID 4572 wrote to memory of 5064 4572 rundll32.exe 87 PID 4572 wrote to memory of 5064 4572 rundll32.exe 87 PID 5064 wrote to memory of 2268 5064 rundll32.exe 89 PID 5064 wrote to memory of 2268 5064 rundll32.exe 89 PID 5064 wrote to memory of 2268 5064 rundll32.exe 89
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5fa9d20296121bb0d6dfbf9994683f43.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5fa9d20296121bb0d6dfbf9994683f43.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe3⤵
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Windows\SysWOW64\whoami.exewhoami4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2268
-
-
-