Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-01-2024 15:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f38a5d2a9e188c95d788cf75aff21e3b97c4158006526db9fe94e3e5e1403ec8.dll
Resource
win7-20231215-en
windows7-x64
4 signatures
150 seconds
General
-
Target
f38a5d2a9e188c95d788cf75aff21e3b97c4158006526db9fe94e3e5e1403ec8.dll
-
Size
349KB
-
MD5
f4b3fe24439347428dd1945e00769487
-
SHA1
480bea45d1eeb9c2080e5471f90596971cae0830
-
SHA256
f38a5d2a9e188c95d788cf75aff21e3b97c4158006526db9fe94e3e5e1403ec8
-
SHA512
fa2d5726f5ac81d48d711b647a408f1717069eefe48e52cdae854408ea4a201febc615fb42f6f5053f38d712e7f63a905e10d5a3df412eb46bd789032032e4af
-
SSDEEP
3072:HUZii6+5RerwV3X06mgR1IZ7ayocBcDmi7Iwxrm9tLnhkQRw3LCms9PQMguAlntD:MiZ+7TX06mJ7ayoppVkiGFglx1MbG
Score
5/10
Malware Config
Signatures
-
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File created C:\Windows\SysWOW64\Dumps\dump_20240125155205282.dmp rundll32.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
rundll32.exepid process 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeShutdownPrivilege 2000 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 2032 wrote to memory of 2000 2032 rundll32.exe rundll32.exe PID 2032 wrote to memory of 2000 2032 rundll32.exe rundll32.exe PID 2032 wrote to memory of 2000 2032 rundll32.exe rundll32.exe PID 2032 wrote to memory of 2000 2032 rundll32.exe rundll32.exe PID 2032 wrote to memory of 2000 2032 rundll32.exe rundll32.exe PID 2032 wrote to memory of 2000 2032 rundll32.exe rundll32.exe PID 2032 wrote to memory of 2000 2032 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f38a5d2a9e188c95d788cf75aff21e3b97c4158006526db9fe94e3e5e1403ec8.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f38a5d2a9e188c95d788cf75aff21e3b97c4158006526db9fe94e3e5e1403ec8.dll,#12⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2000