7b2991d5d1494b1dce30f7a7bab92db0fb5c39ec498239b91ee0c928f9b19fdb | Triage

Analysis

max time kernel
124s
max time network
124s
platform
windows10_x64
resource
win10v20201028
submitted
03-03-2021 00:20

Sharing

Report Analysis Logs

General

Target

34aa0bd4dc61cca23b7950282df26ce2e16a339b2895add65d46e6d317a11fe1.dll
Size

320KB
MD5

ce8ac0e4da0c1d4406a4a17215db37cf
SHA1

f2df1a5863044e5d6b4ab7d2a2b1ebee9f96d228
SHA256

34aa0bd4dc61cca23b7950282df26ce2e16a339b2895add65d46e6d317a11fe1
SHA512

fcfff47b9074b9013fc00acb9b4a9aee13f820e6369e78a354a3b8d545a8ebf1560f910d6a49edff53384c6e37d61a0b075eb44c6ab89267a0a532f58fbbe7f1

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 26 IoCs

Processes:

msiexec.exe

flow	pid	process
14	188	msiexec.exe
16	188	msiexec.exe
17	188	msiexec.exe
18	188	msiexec.exe
19	188	msiexec.exe
20	188	msiexec.exe
21	188	msiexec.exe
23	188	msiexec.exe
24	188	msiexec.exe
25	188	msiexec.exe
26	188	msiexec.exe
27	188	msiexec.exe
28	188	msiexec.exe
30	188	msiexec.exe
31	188	msiexec.exe
32	188	msiexec.exe
33	188	msiexec.exe
34	188	msiexec.exe
35	188	msiexec.exe
37	188	msiexec.exe
38	188	msiexec.exe
39	188	msiexec.exe
40	188	msiexec.exe
41	188	msiexec.exe
42	188	msiexec.exe
44	188	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

regsvr32.exe

description pid process target process

PID 1660 set thread context of 188 1660 regsvr32.exe msiexec.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

msiexec.exe

description pid process

Token: SeSecurityPrivilege 188 msiexec.exe
Token: SeSecurityPrivilege 188 msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 648 wrote to memory of 1660	648	regsvr32.exe	regsvr32.exe
PID 648 wrote to memory of 1660	648	regsvr32.exe	regsvr32.exe
PID 648 wrote to memory of 1660	648	regsvr32.exe	regsvr32.exe
PID 1660 wrote to memory of 188	1660	regsvr32.exe	msiexec.exe
PID 1660 wrote to memory of 188	1660	regsvr32.exe	msiexec.exe
PID 1660 wrote to memory of 188	1660	regsvr32.exe	msiexec.exe
PID 1660 wrote to memory of 188	1660	regsvr32.exe	msiexec.exe
PID 1660 wrote to memory of 188	1660	regsvr32.exe	msiexec.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\34aa0bd4dc61cca23b7950282df26ce2e16a339b2895add65d46e6d317a11fe1.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:648

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\34aa0bd4dc61cca23b7950282df26ce2e16a339b2895add65d46e6d317a11fe1.dll
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
3⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:188

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/188-5-0x0000000000000000-mapping.dmp

Download
memory/188-6-0x00000000032F0000-0x0000000003316000-memory.dmp

Filesize
152KB

Download
memory/1660-2-0x0000000000000000-mapping.dmp

Download
memory/1660-3-0x0000000074170000-0x0000000074196000-memory.dmp

Filesize
152KB

Download
memory/1660-4-0x0000000001000000-0x0000000001001000-memory.dmp

Filesize
4KB

Download