d0981afbb7946eba293454df2bc7c48d48729c726d477465dbc61aedf6943d68 | Triage

Analysis

max time kernel
129s
max time network
128s
platform
windows10_x64
resource
win10v20201028
submitted
03-03-2021 01:40

Sharing

Report Analysis Logs

General

Target

b513c6fc32ea4666e3be5c62d50336db003f75de5344450c8e4a2d88b8911c06.dll
Size

285KB
MD5

a14d7a30ec304ce96f88347b25cbb668
SHA1

092a7a2f5509b92adacacb3b9215e2e61ba633fc
SHA256

b513c6fc32ea4666e3be5c62d50336db003f75de5344450c8e4a2d88b8911c06
SHA512

939c778efa7ec498b4b8b3d3e0ef9e1ab2f71845ed9a5513673290240fd0ab88b378e5d0ac682da639c2809a070aa538f8f0da762d8d41e584ea2ef46cc64589

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 26 IoCs

Processes:

msiexec.exe

flow	pid	process
15	1564	msiexec.exe
17	1564	msiexec.exe
18	1564	msiexec.exe
19	1564	msiexec.exe
20	1564	msiexec.exe
21	1564	msiexec.exe
22	1564	msiexec.exe
24	1564	msiexec.exe
25	1564	msiexec.exe
26	1564	msiexec.exe
27	1564	msiexec.exe
28	1564	msiexec.exe
29	1564	msiexec.exe
31	1564	msiexec.exe
32	1564	msiexec.exe
33	1564	msiexec.exe
34	1564	msiexec.exe
35	1564	msiexec.exe
36	1564	msiexec.exe
38	1564	msiexec.exe
39	1564	msiexec.exe
40	1564	msiexec.exe
41	1564	msiexec.exe
42	1564	msiexec.exe
43	1564	msiexec.exe
45	1564	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

regsvr32.exe

description pid process target process

PID 1808 set thread context of 1564 1808 regsvr32.exe msiexec.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

msiexec.exe

description pid process

Token: SeSecurityPrivilege 1564 msiexec.exe
Token: SeSecurityPrivilege 1564 msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 1052 wrote to memory of 1808	1052	regsvr32.exe	regsvr32.exe
PID 1052 wrote to memory of 1808	1052	regsvr32.exe	regsvr32.exe
PID 1052 wrote to memory of 1808	1052	regsvr32.exe	regsvr32.exe
PID 1808 wrote to memory of 1564	1808	regsvr32.exe	msiexec.exe
PID 1808 wrote to memory of 1564	1808	regsvr32.exe	msiexec.exe
PID 1808 wrote to memory of 1564	1808	regsvr32.exe	msiexec.exe
PID 1808 wrote to memory of 1564	1808	regsvr32.exe	msiexec.exe
PID 1808 wrote to memory of 1564	1808	regsvr32.exe	msiexec.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b513c6fc32ea4666e3be5c62d50336db003f75de5344450c8e4a2d88b8911c06.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1052

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\b513c6fc32ea4666e3be5c62d50336db003f75de5344450c8e4a2d88b8911c06.dll
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1808

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
3⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:1564

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1564-5-0x0000000000000000-mapping.dmp

Download
memory/1564-6-0x0000000003090000-0x00000000030B6000-memory.dmp

Filesize
152KB

Download
memory/1808-2-0x0000000000000000-mapping.dmp

Download
memory/1808-3-0x0000000073F50000-0x0000000073F76000-memory.dmp

Filesize
152KB

Download
memory/1808-4-0x0000000002F10000-0x0000000002F11000-memory.dmp

Filesize
4KB

Download