Analysis
-
max time kernel
135s -
max time network
135s -
platform
windows10_x64 -
resource
win10 -
submitted
16-10-2020 13:48
Static task
static1
Behavioral task
behavioral1
Sample
YCRkFXS.dll
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
YCRkFXS.dll
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
YCRkFXS.dll
-
Size
764KB
-
MD5
1d36338becdf76e5245665e2833d8a38
-
SHA1
1c2c449a06873070a3e154069c8a71de3d6e908d
-
SHA256
15737d37308fb5a8745afb8c34249e387bad9b1d001f2fcaa44b8c0333286861
-
SHA512
391dfaab6326b9066d2be333eff53aab2c74a006fae5be93961d0bf1766d8ffb09c950093bbdcb7276047f574ba544f44c5f0835c0a0f3e764f02455fb375176
Score
10/10
Malware Config
Signatures
-
Blacklisted process makes network request 2 IoCs
Processes:
msiexec.exeflow pid process 17 1276 msiexec.exe 18 1276 msiexec.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dexazuca = "regsvr32.exe /s C:\\Users\\Admin\\AppData\\Roaming\\Capi\\vaqaoto.dll" msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 4000 set thread context of 1276 4000 rundll32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 1276 msiexec.exe Token: SeSecurityPrivilege 1276 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3828 wrote to memory of 4000 3828 rundll32.exe rundll32.exe PID 3828 wrote to memory of 4000 3828 rundll32.exe rundll32.exe PID 3828 wrote to memory of 4000 3828 rundll32.exe rundll32.exe PID 4000 wrote to memory of 1276 4000 rundll32.exe msiexec.exe PID 4000 wrote to memory of 1276 4000 rundll32.exe msiexec.exe PID 4000 wrote to memory of 1276 4000 rundll32.exe msiexec.exe PID 4000 wrote to memory of 1276 4000 rundll32.exe msiexec.exe PID 4000 wrote to memory of 1276 4000 rundll32.exe msiexec.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\YCRkFXS.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\YCRkFXS.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Blacklisted process makes network request
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken