596db0b26451c60e2e618dd98f126e3932e238baa0432867203f83df27debd03

General

Target

ce-lib64.dll
Size

2.7MB
MD5

613f165469e6fdfeedfbcac79296906e
SHA1

f90782144ecd3681c76a3e986863240d4e17c215
SHA256

498de4f8bd87cbaf68344742f76e08dd241824148fb25fef8835ef069e56f804
SHA512

3523a3a351fd8f3a49b474dfb6530d8ac77eebdb93eb3711c6beff50aae35e9c0ebd3fd525db10f9fe9707752c87b94134a2ff4b7079149664f0628ef4991fc2
SSDEEP

49152:gSBaMAHsRvK8BsF4G+WcXP8qN2WSkZeMPnvwPD6D3uz:0+RFfG+rB8ws+Y

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 64 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Windows\system32\symbols\dll\shell32.pdb	rundll32.exe
File opened for modification	C:\Windows\system32\symbols\DLL\imm32.pdb	rundll32.exe
File opened for modification	C:\Windows\system32\dll\psapi.pdb	rundll32.exe
File opened for modification	C:\Windows\system32\symbols\dll\advapi32.pdb	rundll32.exe
File opened for modification	C:\Windows\system32\symbols\dll\gdi32.pdb	rundll32.exe
File opened for modification	C:\Windows\system32\symbols\dll\win32u.pdb	rundll32.exe
File opened for modification	C:\Windows\system32\dll\user32.pdb	rundll32.exe
File opened for modification	C:\Windows\system32\oleaut32.pdb	rundll32.exe
File opened for modification	C:\Windows\system32\symbols\dll\psapi.pdb	rundll32.exe
File opened for modification	C:\Windows\system32\symbols\dll\msctf.pdb	rundll32.exe
File opened for modification	C:\Windows\system32\msctf.pdb	rundll32.exe
File opened for modification	C:\Windows\system32\symbols\dll\ntdll.pdb	rundll32.exe
File opened for modification	C:\Windows\system32\combase.pdb	rundll32.exe
File opened for modification	C:\Windows\system32\dll\imagehlp.pdb	rundll32.exe
File opened for modification	C:\Windows\system32\symbols\dll\gdi32full.pdb	rundll32.exe
File opened for modification	C:\Windows\system32\dll\comctl32v582.pdb	rundll32.exe
File opened for modification	C:\Windows\system32\rpcrt4.pdb	rundll32.exe
File opened for modification	C:\Windows\system32\sechost.pdb	rundll32.exe
File opened for modification	C:\Windows\system32\dll\sechost.pdb	rundll32.exe
File opened for modification	C:\Windows\system32\gdi32.pdb	rundll32.exe
File opened for modification	C:\Windows\system32\kernel32.pdb	rundll32.exe
File opened for modification	C:\Windows\system32\symbols\dll\shcore.pdb	rundll32.exe
File opened for modification	C:\Windows\system32\msvcp_win.pdb	rundll32.exe
File opened for modification	C:\Windows\system32\dll\UxTheme.pdb	rundll32.exe
File opened for modification	C:\Windows\system32\symbols\dll\UxTheme.pdb	rundll32.exe
File opened for modification	C:\Windows\system32\DLL\kernel32.pdb	rundll32.exe
File opened for modification	C:\Windows\system32\dll\shell32.pdb	rundll32.exe
File opened for modification	C:\Windows\system32\symbols\dll\bcryptprimitives.pdb	rundll32.exe
File opened for modification	C:\Windows\system32\symbols\dll\msimg32.pdb	rundll32.exe
File opened for modification	C:\Windows\system32\dbghelp.pdb	rundll32.exe
File opened for modification	C:\Windows\system32\symbols\exe\rundll32.pdb	rundll32.exe
File opened for modification	C:\Windows\system32\dll\msvcrt.pdb	rundll32.exe
File opened for modification	C:\Windows\system32\shcore.pdb	rundll32.exe
File opened for modification	C:\Windows\system32\dll\msvcp_win.pdb	rundll32.exe
File opened for modification	C:\Windows\system32\symbols\dll\msvcp_win.pdb	rundll32.exe
File opened for modification	C:\Windows\system32\dll\combase.pdb	rundll32.exe
File opened for modification	C:\Windows\system32\dll\rpcrt4.pdb	rundll32.exe
File opened for modification	C:\Windows\system32\dll\gdi32full.pdb	rundll32.exe
File opened for modification	C:\Windows\system32\dll\dbghelp.pdb	rundll32.exe
File opened for modification	C:\Windows\system32\symbols\dll\dbghelp.pdb	rundll32.exe
File opened for modification	C:\Windows\system32\dll\kernelbase.pdb	rundll32.exe
File opened for modification	C:\Windows\system32\symbols\dll\rpcrt4.pdb	rundll32.exe
File opened for modification	C:\Windows\system32\symbols\dll\oleaut32.pdb	rundll32.exe
File opened for modification	C:\Windows\system32\version.pdb	rundll32.exe
File opened for modification	C:\Windows\system32\symbols\dll\version.pdb	rundll32.exe
File opened for modification	C:\Windows\system32\symbols\dll\combase.pdb	rundll32.exe
File opened for modification	C:\Windows\system32\ucrtbase.pdb	rundll32.exe
File opened for modification	C:\Windows\system32\dll\ce-lib64.pdb	rundll32.exe
File opened for modification	C:\Windows\system32\gdi32full.pdb	rundll32.exe
File opened for modification	C:\Windows\system32\dll\ole32.pdb	rundll32.exe
File opened for modification	C:\Windows\system32\imm32.pdb	rundll32.exe
File opened for modification	C:\Windows\system32\DLL\imm32.pdb	rundll32.exe
File opened for modification	C:\Windows\system32\psapi.pdb	rundll32.exe
File opened for modification	C:\Windows\system32\symbols\dll\imagehlp.pdb	rundll32.exe
File opened for modification	C:\Windows\system32\dll\msimg32.pdb	rundll32.exe
File opened for modification	C:\Windows\system32\dll\msctf.pdb	rundll32.exe
File opened for modification	C:\Windows\system32\dll\win32u.pdb	rundll32.exe
File opened for modification	C:\Windows\system32\user32.pdb	rundll32.exe
File opened for modification	C:\Windows\system32\symbols\dll\user32.pdb	rundll32.exe
File opened for modification	C:\Windows\system32\symbols\dll\msvcrt.pdb	rundll32.exe
File opened for modification	C:\Windows\system32\ce-lib64.pdb	rundll32.exe
File opened for modification	C:\Windows\system32\advapi32.pdb	rundll32.exe
File opened for modification	C:\Windows\system32\dll\advapi32.pdb	rundll32.exe
File opened for modification	C:\Windows\system32\dll\gdi32.pdb	rundll32.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

rundll32.exe

description	pid	process
Token: SeDebugPrivilege	4304	rundll32.exe
Token: SeLoadDriverPrivilege	4304	rundll32.exe
Token: SeCreateGlobalPrivilege	4304	rundll32.exe
Token: SeLockMemoryPrivilege	4304	rundll32.exe
Token: 33	4304	rundll32.exe
Token: SeSecurityPrivilege	4304	rundll32.exe
Token: SeTakeOwnershipPrivilege	4304	rundll32.exe
Token: SeManageVolumePrivilege	4304	rundll32.exe
Token: SeBackupPrivilege	4304	rundll32.exe
Token: SeCreatePagefilePrivilege	4304	rundll32.exe
Token: SeShutdownPrivilege	4304	rundll32.exe
Token: SeRestorePrivilege	4304	rundll32.exe
Token: 33	4304	rundll32.exe
Token: SeIncBasePriorityPrivilege	4304	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ce-lib64.dll,#1
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4304

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads