0e70968a9326d7abc103c04b4c355649c837c69c92b83af9ac4e2c1c123f0948 | Triage

Resubmissions

11-12-2020 16:27

201211-at63vndq5s 10

11-12-2020 15:33

201211-lrjc74mj2e 10

Analysis

max time kernel
596s
max time network
596s
platform
windows10_x64
resource
win10v20201028
submitted
11-12-2020 16:27

Sharing

Report Analysis Logs

General

Target

wp-scan.php.dll
Size

520KB
MD5

976a3e1f72f6d0e32e5eaab7db1c93b4
SHA1

77aff7c16b978445d7b4b7a9d2b1eaef0592b439
SHA256

0e70968a9326d7abc103c04b4c355649c837c69c92b83af9ac4e2c1c123f0948
SHA512

a29993ba569f5ef123054c8dd8a0ed71c04c5dfb573dd2c9917deed7f1c870732c24bfd2c387a93c539a09d635dde4d89dc048179e3dfc7e5edc9da679d54e0e

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 33 IoCs

Processes:

msiexec.exe

flow	pid	process
16	1932	msiexec.exe
18	1932	msiexec.exe
20	1932	msiexec.exe
22	1932	msiexec.exe
23	1932	msiexec.exe
24	1932	msiexec.exe
25	1932	msiexec.exe
26	1932	msiexec.exe
27	1932	msiexec.exe
29	1932	msiexec.exe
31	1932	msiexec.exe
32	1932	msiexec.exe
33	1932	msiexec.exe
34	1932	msiexec.exe
35	1932	msiexec.exe
36	1932	msiexec.exe
37	1932	msiexec.exe
38	1932	msiexec.exe
39	1932	msiexec.exe
40	1932	msiexec.exe
41	1932	msiexec.exe
42	1932	msiexec.exe
51	1932	msiexec.exe
52	1932	msiexec.exe
53	1932	msiexec.exe
54	1932	msiexec.exe
55	1932	msiexec.exe
56	1932	msiexec.exe
57	1932	msiexec.exe
58	1932	msiexec.exe
59	1932	msiexec.exe
60	1932	msiexec.exe
61	1932	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 3164 set thread context of 1932 3164 rundll32.exe msiexec.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

msiexec.exe

description pid process

Token: SeSecurityPrivilege 1932 msiexec.exe
Token: SeSecurityPrivilege 1932 msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4076 wrote to memory of 3164	4076	rundll32.exe	rundll32.exe
PID 4076 wrote to memory of 3164	4076	rundll32.exe	rundll32.exe
PID 4076 wrote to memory of 3164	4076	rundll32.exe	rundll32.exe
PID 3164 wrote to memory of 1932	3164	rundll32.exe	msiexec.exe
PID 3164 wrote to memory of 1932	3164	rundll32.exe	msiexec.exe
PID 3164 wrote to memory of 1932	3164	rundll32.exe	msiexec.exe
PID 3164 wrote to memory of 1932	3164	rundll32.exe	msiexec.exe
PID 3164 wrote to memory of 1932	3164	rundll32.exe	msiexec.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\wp-scan.php.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4076

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\wp-scan.php.dll,#1
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3164

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
3⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:1932

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1932-3-0x0000000002F30000-0x0000000002F56000-memory.dmp

Filesize
152KB

Download
memory/1932-4-0x0000000000000000-mapping.dmp

Download
memory/3164-2-0x0000000000000000-mapping.dmp

Download