Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 00:18
Behavioral task
behavioral1
Sample
8bd6000c423457e34614b28103827b2ea3b1e2cacc4ff07d4936090f078200f8.dll
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
8bd6000c423457e34614b28103827b2ea3b1e2cacc4ff07d4936090f078200f8.dll
Resource
win10v2004-20240508-en
General
-
Target
8bd6000c423457e34614b28103827b2ea3b1e2cacc4ff07d4936090f078200f8.dll
-
Size
95KB
-
MD5
38098115b28513e9953ac978b324aeea
-
SHA1
73271e4c7e37fbb2493ed03f6269ca9dddda8070
-
SHA256
8bd6000c423457e34614b28103827b2ea3b1e2cacc4ff07d4936090f078200f8
-
SHA512
20d56dc6bad1a8899efbc7293c4cc825fae1d40ce0734a8af3971418729b17c0e0cdb4af7fee10ea5efcf648a5268b5d3d3212c61ed18a31c11d5e0d8563b4a8
-
SSDEEP
1536:NkGwueOJxhi6loej9cX8VAU0EgB2AW6dY5pZn4nDx2W6:umivAq7186a4nDxI
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uxcdafti.exe rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rundll32.exedescription pid process Token: SeSecurityPrivilege 1636 rundll32.exe Token: SeDebugPrivilege 1636 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 2768 wrote to memory of 1636 2768 rundll32.exe rundll32.exe PID 2768 wrote to memory of 1636 2768 rundll32.exe rundll32.exe PID 2768 wrote to memory of 1636 2768 rundll32.exe rundll32.exe PID 2768 wrote to memory of 1636 2768 rundll32.exe rundll32.exe PID 2768 wrote to memory of 1636 2768 rundll32.exe rundll32.exe PID 2768 wrote to memory of 1636 2768 rundll32.exe rundll32.exe PID 2768 wrote to memory of 1636 2768 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8bd6000c423457e34614b28103827b2ea3b1e2cacc4ff07d4936090f078200f8.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8bd6000c423457e34614b28103827b2ea3b1e2cacc4ff07d4936090f078200f8.dll,#12⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:1636