Analysis
-
max time kernel
110s -
max time network
111s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 20:55
Static task
static1
Behavioral task
behavioral1
Sample
uOUcRwG.bin.dll
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
uOUcRwG.bin.dll
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
uOUcRwG.bin.dll
-
Size
536KB
-
MD5
5f876d0f7e22485ed0d5b5e55d464a29
-
SHA1
1a6f7f166ba0cd568c3fa8bc8984940807fc8c24
-
SHA256
9e2fa4b7f6deb04ea27330c49288b59646737eea5c37d21acc2d4433054b9e4e
-
SHA512
e4356943be247753259ad9808e63bfa96b10b72c3d9f141769db3cb269f98b1a4a5b61038fd99f655bf1411ed2b06af5e5ee8a3a0d1574a3cfe57a6c4397ee76
Score
10/10
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Elirraq = "regsvr32.exe /s C:\\Users\\Admin\\AppData\\Roaming\\Tosi\\naevxex.dll" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 4752 set thread context of 3224 4752 rundll32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 3224 msiexec.exe Token: SeSecurityPrivilege 3224 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4696 wrote to memory of 4752 4696 rundll32.exe rundll32.exe PID 4696 wrote to memory of 4752 4696 rundll32.exe rundll32.exe PID 4696 wrote to memory of 4752 4696 rundll32.exe rundll32.exe PID 4752 wrote to memory of 3224 4752 rundll32.exe msiexec.exe PID 4752 wrote to memory of 3224 4752 rundll32.exe msiexec.exe PID 4752 wrote to memory of 3224 4752 rundll32.exe msiexec.exe PID 4752 wrote to memory of 3224 4752 rundll32.exe msiexec.exe PID 4752 wrote to memory of 3224 4752 rundll32.exe msiexec.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\uOUcRwG.bin.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\uOUcRwG.bin.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken