51474784e9d505b7734eb7bc2683d5db4e5eeb1f899f76c60883260c4b18ea5c | Triage

Resubmissions

21-11-2020 08:10

201121-ltfxa47sfx 4

20-11-2020 09:37

201120-nay4wh51ma 4

Analysis

max time kernel
2s
max time network
8s
platform
windows7_x64
resource
win7v20201028
submitted
21-11-2020 08:10

Sharing

Report Analysis Logs

General

Target

robertophotopng.dll
Size

272KB
MD5

6751ee30aac03ceb84c5391dba766143
SHA1

739c47038f2f6d877bdd43b16bd67eb9aa22eccd
SHA256

51474784e9d505b7734eb7bc2683d5db4e5eeb1f899f76c60883260c4b18ea5c
SHA512

f2713c5646a0f89271571863f7de2162be689a2a39f8c5d549dc094e23b178725e57b7d12839243d10f65aede8570f926eab17ed77d22a6b5320ad04c2cbd0ec

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

Processes:

regsvr32.exe

description ioc process

File opened for modification C:\Windows\notepad.exe regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 292 wrote to memory of 1900	292	regsvr32.exe	regsvr32.exe
PID 292 wrote to memory of 1900	292	regsvr32.exe	regsvr32.exe
PID 292 wrote to memory of 1900	292	regsvr32.exe	regsvr32.exe
PID 292 wrote to memory of 1900	292	regsvr32.exe	regsvr32.exe
PID 292 wrote to memory of 1900	292	regsvr32.exe	regsvr32.exe
PID 292 wrote to memory of 1900	292	regsvr32.exe	regsvr32.exe
PID 292 wrote to memory of 1900	292	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\robertophotopng.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:292

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\robertophotopng.dll
2⤵
- Drops file in Windows directory
PID:1900

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1900-0-0x0000000000000000-mapping.dmp

Download