Analysis
-
max time kernel
63s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
28-11-2020 01:28
Static task
static1
Behavioral task
behavioral1
Sample
XRqW4.exe.dll
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
XRqW4.exe.dll
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
XRqW4.exe.dll
-
Size
320KB
-
MD5
7ebb3ae8efec620294fdfa3e99da78ea
-
SHA1
a545d8cd080a7237465ba3c63f8119d03369e005
-
SHA256
550187abd3b47d3796a1811dc016c935069ac631996de7cd428ae986b39b2107
-
SHA512
aa5ee27c3f3b55beefdda9103b9b548af9f04b41535b9e74379c3c8ed5904519766de4321a995047a63d958dafc20f82607b09678cf09f1b24ca29bec5facb0c
Score
8/10
Malware Config
Signatures
-
Blacklisted process makes network request 6 IoCs
Processes:
msiexec.exeflow pid process 16 1932 msiexec.exe 18 1932 msiexec.exe 20 1932 msiexec.exe 22 1932 msiexec.exe 24 1932 msiexec.exe 26 1932 msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
regsvr32.exedescription pid process target process PID 2128 set thread context of 1932 2128 regsvr32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 1932 msiexec.exe Token: SeSecurityPrivilege 1932 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
regsvr32.exeregsvr32.exedescription pid process target process PID 4092 wrote to memory of 2128 4092 regsvr32.exe regsvr32.exe PID 4092 wrote to memory of 2128 4092 regsvr32.exe regsvr32.exe PID 4092 wrote to memory of 2128 4092 regsvr32.exe regsvr32.exe PID 2128 wrote to memory of 1932 2128 regsvr32.exe msiexec.exe PID 2128 wrote to memory of 1932 2128 regsvr32.exe msiexec.exe PID 2128 wrote to memory of 1932 2128 regsvr32.exe msiexec.exe PID 2128 wrote to memory of 1932 2128 regsvr32.exe msiexec.exe PID 2128 wrote to memory of 1932 2128 regsvr32.exe msiexec.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\XRqW4.exe.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\XRqW4.exe.dll2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Blacklisted process makes network request
- Suspicious use of AdjustPrivilegeToken