a46de7b1eb5d6bd50182eebb1822b4535f3018136cd98af27ae6c462583a2267

Analysis

max time kernel
151s
max time network
151s
platform
windows10_x64
resource
win10v20201028
submitted
15-02-2021 04:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44ad0656ef0e7e356ad7a37992d81bb2832fd6f7d420a9502627a77c43f8f8d0.dll

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LanguagePack = "C:\\Windows\\system32\\regsvr32.exe /s \"C:\\Users\\Admin\\AppData\\Local\\Temp\\62a532-f0c532-a7cf2792-387ac0-01f0.db\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\LanguagePack = "C:\\Windows\\system32\\regsvr32.exe /s \"C:\\Users\\Admin\\AppData\\Local\\Temp\\62a532-f0c532-a7cf2792-387ac0-01f0.db\""	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exe

pid	process
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

description	pid	process
Token: SeCreateGlobalPrivilege	2792	regsvr32.exe
Token: SeDebugPrivilege	2792	regsvr32.exe
Token: SeCreateGlobalPrivilege	1848	regsvr32.exe
Token: SeCreateGlobalPrivilege	4056	regsvr32.exe
Token: SeCreateGlobalPrivilege	3664	regsvr32.exe
Token: SeCreateGlobalPrivilege	3684	regsvr32.exe
Token: SeCreateGlobalPrivilege	4020	regsvr32.exe
Token: SeCreateGlobalPrivilege	1160	regsvr32.exe
Token: SeCreateGlobalPrivilege	1972	regsvr32.exe
Token: SeCreateGlobalPrivilege	2772	regsvr32.exe
Token: SeCreateGlobalPrivilege	1196	regsvr32.exe
Token: SeCreateGlobalPrivilege	1612	regsvr32.exe
Token: SeCreateGlobalPrivilege	3584	regsvr32.exe
Token: SeCreateGlobalPrivilege	1408	regsvr32.exe

Suspicious use of WriteProcessMemory 58 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

description	pid	process	target process
PID 1924 wrote to memory of 1772	1924	regsvr32.exe	regsvr32.exe
PID 1924 wrote to memory of 1772	1924	regsvr32.exe	regsvr32.exe
PID 1772 wrote to memory of 1408	1772	regsvr32.exe	regsvr32.exe
PID 1772 wrote to memory of 1408	1772	regsvr32.exe	regsvr32.exe
PID 1408 wrote to memory of 2208	1408	regsvr32.exe	regsvr32.exe
PID 1408 wrote to memory of 2208	1408	regsvr32.exe	regsvr32.exe
PID 2208 wrote to memory of 2512	2208	regsvr32.exe	regsvr32.exe
PID 2208 wrote to memory of 2512	2208	regsvr32.exe	regsvr32.exe
PID 2512 wrote to memory of 2792	2512	regsvr32.exe	regsvr32.exe
PID 2512 wrote to memory of 2792	2512	regsvr32.exe	regsvr32.exe
PID 2792 wrote to memory of 3976	2792	regsvr32.exe	regsvr32.exe
PID 2792 wrote to memory of 3976	2792	regsvr32.exe	regsvr32.exe
PID 3976 wrote to memory of 1848	3976	regsvr32.exe	regsvr32.exe
PID 3976 wrote to memory of 1848	3976	regsvr32.exe	regsvr32.exe
PID 2792 wrote to memory of 420	2792	regsvr32.exe	regsvr32.exe
PID 2792 wrote to memory of 420	2792	regsvr32.exe	regsvr32.exe
PID 420 wrote to memory of 4056	420	regsvr32.exe	regsvr32.exe
PID 420 wrote to memory of 4056	420	regsvr32.exe	regsvr32.exe
PID 2792 wrote to memory of 4004	2792	regsvr32.exe	regsvr32.exe
PID 2792 wrote to memory of 4004	2792	regsvr32.exe	regsvr32.exe
PID 4004 wrote to memory of 3664	4004	regsvr32.exe	regsvr32.exe
PID 4004 wrote to memory of 3664	4004	regsvr32.exe	regsvr32.exe
PID 2792 wrote to memory of 772	2792	regsvr32.exe	regsvr32.exe
PID 2792 wrote to memory of 772	2792	regsvr32.exe	regsvr32.exe
PID 772 wrote to memory of 3684	772	regsvr32.exe	regsvr32.exe
PID 772 wrote to memory of 3684	772	regsvr32.exe	regsvr32.exe
PID 2792 wrote to memory of 3936	2792	regsvr32.exe	regsvr32.exe
PID 2792 wrote to memory of 3936	2792	regsvr32.exe	regsvr32.exe
PID 3936 wrote to memory of 4020	3936	regsvr32.exe	regsvr32.exe
PID 3936 wrote to memory of 4020	3936	regsvr32.exe	regsvr32.exe
PID 2792 wrote to memory of 3380	2792	regsvr32.exe	regsvr32.exe
PID 2792 wrote to memory of 3380	2792	regsvr32.exe	regsvr32.exe
PID 3380 wrote to memory of 1160	3380	regsvr32.exe	regsvr32.exe
PID 3380 wrote to memory of 1160	3380	regsvr32.exe	regsvr32.exe
PID 2792 wrote to memory of 3008	2792	regsvr32.exe	regsvr32.exe
PID 2792 wrote to memory of 3008	2792	regsvr32.exe	regsvr32.exe
PID 3008 wrote to memory of 1972	3008	regsvr32.exe	regsvr32.exe
PID 3008 wrote to memory of 1972	3008	regsvr32.exe	regsvr32.exe
PID 2792 wrote to memory of 940	2792	regsvr32.exe	regsvr32.exe
PID 2792 wrote to memory of 940	2792	regsvr32.exe	regsvr32.exe
PID 940 wrote to memory of 2772	940	regsvr32.exe	regsvr32.exe
PID 940 wrote to memory of 2772	940	regsvr32.exe	regsvr32.exe
PID 2792 wrote to memory of 3552	2792	regsvr32.exe	regsvr32.exe
PID 2792 wrote to memory of 3552	2792	regsvr32.exe	regsvr32.exe
PID 3552 wrote to memory of 1196	3552	regsvr32.exe	regsvr32.exe
PID 3552 wrote to memory of 1196	3552	regsvr32.exe	regsvr32.exe
PID 2792 wrote to memory of 3692	2792	regsvr32.exe	regsvr32.exe
PID 2792 wrote to memory of 3692	2792	regsvr32.exe	regsvr32.exe
PID 3692 wrote to memory of 1612	3692	regsvr32.exe	regsvr32.exe
PID 3692 wrote to memory of 1612	3692	regsvr32.exe	regsvr32.exe
PID 2792 wrote to memory of 396	2792	regsvr32.exe	regsvr32.exe
PID 2792 wrote to memory of 396	2792	regsvr32.exe	regsvr32.exe
PID 396 wrote to memory of 3584	396	regsvr32.exe	regsvr32.exe
PID 396 wrote to memory of 3584	396	regsvr32.exe	regsvr32.exe
PID 2792 wrote to memory of 1772	2792	regsvr32.exe	regsvr32.exe
PID 2792 wrote to memory of 1772	2792	regsvr32.exe	regsvr32.exe
PID 1772 wrote to memory of 1408	1772	regsvr32.exe	regsvr32.exe
PID 1772 wrote to memory of 1408	1772	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\44ad0656ef0e7e356ad7a37992d81bb2832fd6f7d420a9502627a77c43f8f8d0.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1924

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Users\Admin\AppData\Local\Temp\\44ad0656ef0e7e356ad7a37992d81bb2832fd6f7d420a9502627a77c43f8f8d0.dll" 4
2⤵
- Suspicious use of WriteProcessMemory
PID:1772

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Users\Admin\AppData\Local\Temp\\44ad0656ef0e7e356ad7a37992d81bb2832fd6f7d420a9502627a77c43f8f8d0.dll" 3
3⤵
- Suspicious use of WriteProcessMemory
PID:1408

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Users\Admin\AppData\Local\Temp\\44ad0656ef0e7e356ad7a37992d81bb2832fd6f7d420a9502627a77c43f8f8d0.dll" 2
4⤵
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Users\Admin\AppData\Local\Temp\\44ad0656ef0e7e356ad7a37992d81bb2832fd6f7d420a9502627a77c43f8f8d0.dll" 1
5⤵
- Suspicious use of WriteProcessMemory
PID:2512

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Users\Admin\AppData\Local\Temp\\44ad0656ef0e7e356ad7a37992d81bb2832fd6f7d420a9502627a77c43f8f8d0.dll" 0
6⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2792

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Users\Admin\AppData\Local\Temp\\44ad0656ef0e7e356ad7a37992d81bb2832fd6f7d420a9502627a77c43f8f8d0.dll" 1
7⤵
- Suspicious use of WriteProcessMemory
PID:3976

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Users\Admin\AppData\Local\Temp\\44ad0656ef0e7e356ad7a37992d81bb2832fd6f7d420a9502627a77c43f8f8d0.dll" 0
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:1848

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Users\Admin\AppData\Local\Temp\\44ad0656ef0e7e356ad7a37992d81bb2832fd6f7d420a9502627a77c43f8f8d0.dll" 1
7⤵
- Suspicious use of WriteProcessMemory
PID:420

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Users\Admin\AppData\Local\Temp\\44ad0656ef0e7e356ad7a37992d81bb2832fd6f7d420a9502627a77c43f8f8d0.dll" 0
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:4056

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Users\Admin\AppData\Local\Temp\\44ad0656ef0e7e356ad7a37992d81bb2832fd6f7d420a9502627a77c43f8f8d0.dll" 1
7⤵
- Suspicious use of WriteProcessMemory
PID:4004

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Users\Admin\AppData\Local\Temp\\44ad0656ef0e7e356ad7a37992d81bb2832fd6f7d420a9502627a77c43f8f8d0.dll" 0
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:3664

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Users\Admin\AppData\Local\Temp\\44ad0656ef0e7e356ad7a37992d81bb2832fd6f7d420a9502627a77c43f8f8d0.dll" 1
7⤵
- Suspicious use of WriteProcessMemory
PID:772

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Users\Admin\AppData\Local\Temp\\44ad0656ef0e7e356ad7a37992d81bb2832fd6f7d420a9502627a77c43f8f8d0.dll" 0
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:3684

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Users\Admin\AppData\Local\Temp\\44ad0656ef0e7e356ad7a37992d81bb2832fd6f7d420a9502627a77c43f8f8d0.dll" 1
7⤵
- Suspicious use of WriteProcessMemory
PID:3936

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Users\Admin\AppData\Local\Temp\\44ad0656ef0e7e356ad7a37992d81bb2832fd6f7d420a9502627a77c43f8f8d0.dll" 0
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:4020

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Users\Admin\AppData\Local\Temp\\44ad0656ef0e7e356ad7a37992d81bb2832fd6f7d420a9502627a77c43f8f8d0.dll" 1
7⤵
- Suspicious use of WriteProcessMemory
PID:3380

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Users\Admin\AppData\Local\Temp\\44ad0656ef0e7e356ad7a37992d81bb2832fd6f7d420a9502627a77c43f8f8d0.dll" 0
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:1160

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Users\Admin\AppData\Local\Temp\\44ad0656ef0e7e356ad7a37992d81bb2832fd6f7d420a9502627a77c43f8f8d0.dll" 1
7⤵
- Suspicious use of WriteProcessMemory
PID:3008

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Users\Admin\AppData\Local\Temp\\44ad0656ef0e7e356ad7a37992d81bb2832fd6f7d420a9502627a77c43f8f8d0.dll" 0
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:1972

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Users\Admin\AppData\Local\Temp\\44ad0656ef0e7e356ad7a37992d81bb2832fd6f7d420a9502627a77c43f8f8d0.dll" 1
7⤵
- Suspicious use of WriteProcessMemory
PID:940

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Users\Admin\AppData\Local\Temp\\44ad0656ef0e7e356ad7a37992d81bb2832fd6f7d420a9502627a77c43f8f8d0.dll" 0
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:2772

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Users\Admin\AppData\Local\Temp\\44ad0656ef0e7e356ad7a37992d81bb2832fd6f7d420a9502627a77c43f8f8d0.dll" 1
7⤵
- Suspicious use of WriteProcessMemory
PID:3552

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Users\Admin\AppData\Local\Temp\\44ad0656ef0e7e356ad7a37992d81bb2832fd6f7d420a9502627a77c43f8f8d0.dll" 0
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:1196

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Users\Admin\AppData\Local\Temp\\44ad0656ef0e7e356ad7a37992d81bb2832fd6f7d420a9502627a77c43f8f8d0.dll" 1
7⤵
- Suspicious use of WriteProcessMemory
PID:3692

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Users\Admin\AppData\Local\Temp\\44ad0656ef0e7e356ad7a37992d81bb2832fd6f7d420a9502627a77c43f8f8d0.dll" 0
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Users\Admin\AppData\Local\Temp\\44ad0656ef0e7e356ad7a37992d81bb2832fd6f7d420a9502627a77c43f8f8d0.dll" 1
7⤵
- Suspicious use of WriteProcessMemory
PID:396

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Users\Admin\AppData\Local\Temp\\44ad0656ef0e7e356ad7a37992d81bb2832fd6f7d420a9502627a77c43f8f8d0.dll" 0
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:3584

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Users\Admin\AppData\Local\Temp\\44ad0656ef0e7e356ad7a37992d81bb2832fd6f7d420a9502627a77c43f8f8d0.dll" 1
7⤵
- Suspicious use of WriteProcessMemory
PID:1772

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Users\Admin\AppData\Local\Temp\\44ad0656ef0e7e356ad7a37992d81bb2832fd6f7d420a9502627a77c43f8f8d0.dll" 0
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:1408

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PREFHIST
MD5
e46c29f5fe8fd4df7ff69444ffd847c8

SHA1
3a5d2d44be97b4d5ef34ebf2ba4c58cf5865396c

SHA256
2c8e6c3ee5cbe499d1ea259fe987b073d312791270c08eba52cf4212d426263c

SHA512
c0a54ddc37a5fda5a250d449d7a9bd0626036aa780bbc739fc92701d8803f3914722aeef981160cdf1a08563ae72db30ae2771b7a00aed3eed56251434a5184e

Download Submit
memory/396-27-0x0000000000000000-mapping.dmp

Download
memory/420-9-0x0000000000000000-mapping.dmp

Download
memory/772-13-0x0000000000000000-mapping.dmp

Download
memory/940-21-0x0000000000000000-mapping.dmp

Download
memory/1160-18-0x0000000000000000-mapping.dmp

Download
memory/1196-24-0x0000000000000000-mapping.dmp

Download
memory/1408-3-0x0000000000000000-mapping.dmp

Download
memory/1408-30-0x0000000000000000-mapping.dmp

Download
memory/1612-26-0x0000000000000000-mapping.dmp

Download
memory/1772-2-0x0000000000000000-mapping.dmp

Download
memory/1772-29-0x0000000000000000-mapping.dmp

Download
memory/1848-8-0x0000000000000000-mapping.dmp

Download
memory/1972-20-0x0000000000000000-mapping.dmp

Download
memory/2208-4-0x0000000000000000-mapping.dmp

Download
memory/2512-5-0x0000000000000000-mapping.dmp

Download
memory/2772-22-0x0000000000000000-mapping.dmp

Download
memory/2792-6-0x0000000000000000-mapping.dmp

Download
memory/3008-19-0x0000000000000000-mapping.dmp

Download
memory/3380-17-0x0000000000000000-mapping.dmp

Download
memory/3552-23-0x0000000000000000-mapping.dmp

Download
memory/3584-28-0x0000000000000000-mapping.dmp

Download
memory/3664-12-0x0000000000000000-mapping.dmp

Download
memory/3684-14-0x0000000000000000-mapping.dmp

Download
memory/3692-25-0x0000000000000000-mapping.dmp

Download
memory/3936-15-0x0000000000000000-mapping.dmp

Download
memory/3976-7-0x0000000000000000-mapping.dmp

Download
memory/4004-11-0x0000000000000000-mapping.dmp

Download
memory/4020-16-0x0000000000000000-mapping.dmp

Download
memory/4056-10-0x0000000000000000-mapping.dmp

Download