39a2cedcde9c9d58ac7d408109414efbaf6a2ae76cdfd0e2f43298698762c55b

Analysis

max time kernel
121s
max time network
129s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
14-03-2024 18:27

Target

c94e50739018f558c5deee2b1c0500fe.dll
Size

216KB
MD5

c94e50739018f558c5deee2b1c0500fe
SHA1

42ac57071dd3ab5604bc4f4b9fb9498c326d0bf2
SHA256

39a2cedcde9c9d58ac7d408109414efbaf6a2ae76cdfd0e2f43298698762c55b
SHA512

14a603e35e389a36b35d8dbc439d4e1dac27fa0ae6aa88f0608ac1e1356cce15f08fa71bc2569d4e6749811bf9d2396be3acd2996be8b28d7b5dfbba89f3bd87
SSDEEP

384:BTW3UoNAgloeECwx7WkHrEOBRQOkbdLhzWXIE1vaI9FOP4cK:BvnLBYOkbdLd6vaI9Fz

Score

7^/10

upx

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/1544-0-0x0000000010000000-0x0000000010010000-memory.dmp	upx
behavioral1/memory/1544-1-0x0000000010000000-0x0000000010010000-memory.dmp	upx

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
468	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1544	rundll32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1544	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 1544	1624	rundll32.exe	27
PID 1624 wrote to memory of 1544	1624	rundll32.exe	27
PID 1624 wrote to memory of 1544	1624	rundll32.exe	27
PID 1624 wrote to memory of 1544	1624	rundll32.exe	27
PID 1624 wrote to memory of 1544	1624	rundll32.exe	27
PID 1624 wrote to memory of 1544	1624	rundll32.exe	27
PID 1624 wrote to memory of 1544	1624	rundll32.exe	27

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c94e50739018f558c5deee2b1c0500fe.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\c94e50739018f558c5deee2b1c0500fe.dll,#1
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1544

memory/1544-0-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/1544-1-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download