Analysis
-
max time kernel
143s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 20:37
Static task
static1
Behavioral task
behavioral1
Sample
w.dll
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
w.dll
-
Size
492KB
-
MD5
892fbc87fdbcbe9d91e17ae7355eb54c
-
SHA1
c0e25d2f02a768def644be6c248732da4f91495b
-
SHA256
67b46301815d5ba32f90af114a459810902ba6d97a75821c8455b8103073b499
-
SHA512
09c30eef3c57be57ef396ff1c2de92f0cff1b57bea0e56ab6401b844b4c5982c7a56f3ef708d0aff2bb6ea1baaef5cf39098b6623bc529c579b35ad73ea4039a
Malware Config
Signatures
-
Blacklisted process makes network request 14 IoCs
Processes:
msiexec.exeflow pid process 25 3944 msiexec.exe 26 3944 msiexec.exe 27 3944 msiexec.exe 28 3944 msiexec.exe 29 3944 msiexec.exe 30 3944 msiexec.exe 32 3944 msiexec.exe 33 3944 msiexec.exe 34 3944 msiexec.exe 35 3944 msiexec.exe 36 3944 msiexec.exe 37 3944 msiexec.exe 39 3944 msiexec.exe 40 3944 msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 3648 set thread context of 3944 3648 rundll32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 3944 msiexec.exe Token: SeSecurityPrivilege 3944 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3408 wrote to memory of 3648 3408 rundll32.exe rundll32.exe PID 3408 wrote to memory of 3648 3408 rundll32.exe rundll32.exe PID 3408 wrote to memory of 3648 3408 rundll32.exe rundll32.exe PID 3648 wrote to memory of 3944 3648 rundll32.exe msiexec.exe PID 3648 wrote to memory of 3944 3648 rundll32.exe msiexec.exe PID 3648 wrote to memory of 3944 3648 rundll32.exe msiexec.exe PID 3648 wrote to memory of 3944 3648 rundll32.exe msiexec.exe PID 3648 wrote to memory of 3944 3648 rundll32.exe msiexec.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\w.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\w.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Blacklisted process makes network request
- Suspicious use of AdjustPrivilegeToken