b9af69ac821a649f211c99e3edf32a76a213e9450b5e972a6cdda5758af530dd

max time kernel
140s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 01:37

Sharing

Target

dcomcnfg.exe
Size

28KB
MD5

dfa0d5bcde97e541aae197b791b0bf77
SHA1

602883cd4308964a2e0fc74a561861908400144f
SHA256

893a6c696459fe6f44c5e71dba1f792df37ba765095548d125ba43aca4f47b18
SHA512

bf78cf1c20941f4735549c427a8295b7b2ea5756d1246b7530c0e1e55a9c1f28574d93a0de4faf2392df07940f2733208451130718150357efc390a09b75087c
SSDEEP

192:XJTPYfus5uLG27WxL3uX8E4+7L5Eyf9CseWEFCpt2cjIfWJfsW0EW:ZTAWsYcL3fEP7LGj7FCp6fWyW0EW

Score

5^/10

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\comexp.msc	mmc.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{F4167BCB-4550-4F5E-9CBC-AA7A6ACF5BB0}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{F4167BCB-4550-4F5E-9CBC-AA7A6ACF5BB0}.crmlog	dllhost.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeSecurityPrivilege	4488	mmc.exe
Token: 33	4488	mmc.exe
Token: SeIncBasePriorityPrivilege	4488	mmc.exe
Token: 33	4488	mmc.exe
Token: SeIncBasePriorityPrivilege	4488	mmc.exe
Token: 33	4488	mmc.exe
Token: SeIncBasePriorityPrivilege	4488	mmc.exe
Token: 33	4488	mmc.exe
Token: SeIncBasePriorityPrivilege	4488	mmc.exe
Token: 33	4488	mmc.exe
Token: SeIncBasePriorityPrivilege	4488	mmc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4488	mmc.exe
4488	mmc.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2836 wrote to memory of 4488	2836	dcomcnfg.exe	89
PID 2836 wrote to memory of 4488	2836	dcomcnfg.exe	89

C:\Users\Admin\AppData\Local\Temp\dcomcnfg.exe
"C:\Users\Admin\AppData\Local\Temp\dcomcnfg.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Windows\system32\mmc.exe
  C:\Windows\system32\mmc.exe C:\Windows\system32\comexp.msc
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4488

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Drops file in Windows directory
PID:3512

memory/4488-0-0x00007FFB50153000-0x00007FFB50155000-memory.dmp

Filesize
8KB

Download
memory/4488-1-0x00007FFB50150000-0x00007FFB50C11000-memory.dmp

Filesize
10.8MB

Download
memory/4488-2-0x00007FFB50150000-0x00007FFB50C11000-memory.dmp

Filesize
10.8MB

Download
memory/4488-3-0x00007FFB50150000-0x00007FFB50C11000-memory.dmp

Filesize
10.8MB

Download
memory/4488-4-0x00007FFB50150000-0x00007FFB50C11000-memory.dmp

Filesize
10.8MB

Download
memory/4488-5-0x00007FFB50150000-0x00007FFB50C11000-memory.dmp

Filesize
10.8MB

Download
memory/4488-6-0x00007FFB50150000-0x00007FFB50C11000-memory.dmp

Filesize
10.8MB

Download
memory/4488-7-0x00007FFB50153000-0x00007FFB50155000-memory.dmp

Filesize
8KB

Download
memory/4488-8-0x00007FFB50150000-0x00007FFB50C11000-memory.dmp

Filesize
10.8MB

Download
memory/4488-9-0x00007FFB50150000-0x00007FFB50C11000-memory.dmp

Filesize
10.8MB

Download
memory/4488-10-0x00007FFB50150000-0x00007FFB50C11000-memory.dmp

Filesize
10.8MB

Download