Analysis
-
max time kernel
596s -
max time network
596s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
11-12-2020 16:27
Static task
static1
Behavioral task
behavioral1
Sample
wp-scan.php.dll
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
wp-scan.php.dll
-
Size
520KB
-
MD5
976a3e1f72f6d0e32e5eaab7db1c93b4
-
SHA1
77aff7c16b978445d7b4b7a9d2b1eaef0592b439
-
SHA256
0e70968a9326d7abc103c04b4c355649c837c69c92b83af9ac4e2c1c123f0948
-
SHA512
a29993ba569f5ef123054c8dd8a0ed71c04c5dfb573dd2c9917deed7f1c870732c24bfd2c387a93c539a09d635dde4d89dc048179e3dfc7e5edc9da679d54e0e
Score
8/10
Malware Config
Signatures
-
Blocklisted process makes network request 33 IoCs
Processes:
msiexec.exeflow pid process 16 1932 msiexec.exe 18 1932 msiexec.exe 20 1932 msiexec.exe 22 1932 msiexec.exe 23 1932 msiexec.exe 24 1932 msiexec.exe 25 1932 msiexec.exe 26 1932 msiexec.exe 27 1932 msiexec.exe 29 1932 msiexec.exe 31 1932 msiexec.exe 32 1932 msiexec.exe 33 1932 msiexec.exe 34 1932 msiexec.exe 35 1932 msiexec.exe 36 1932 msiexec.exe 37 1932 msiexec.exe 38 1932 msiexec.exe 39 1932 msiexec.exe 40 1932 msiexec.exe 41 1932 msiexec.exe 42 1932 msiexec.exe 51 1932 msiexec.exe 52 1932 msiexec.exe 53 1932 msiexec.exe 54 1932 msiexec.exe 55 1932 msiexec.exe 56 1932 msiexec.exe 57 1932 msiexec.exe 58 1932 msiexec.exe 59 1932 msiexec.exe 60 1932 msiexec.exe 61 1932 msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 3164 set thread context of 1932 3164 rundll32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 1932 msiexec.exe Token: SeSecurityPrivilege 1932 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4076 wrote to memory of 3164 4076 rundll32.exe rundll32.exe PID 4076 wrote to memory of 3164 4076 rundll32.exe rundll32.exe PID 4076 wrote to memory of 3164 4076 rundll32.exe rundll32.exe PID 3164 wrote to memory of 1932 3164 rundll32.exe msiexec.exe PID 3164 wrote to memory of 1932 3164 rundll32.exe msiexec.exe PID 3164 wrote to memory of 1932 3164 rundll32.exe msiexec.exe PID 3164 wrote to memory of 1932 3164 rundll32.exe msiexec.exe PID 3164 wrote to memory of 1932 3164 rundll32.exe msiexec.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\wp-scan.php.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\wp-scan.php.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken