7a0e70c85d65c95a7c98a7f14eaaa9b9f59795add4abb6a09ff2d75fbf947e80 | Triage

Analysis

max time kernel
82s
max time network
110s
platform
windows10_x64
resource
win10v20201028
submitted
03-03-2021 08:25

Sharing

Report Analysis Logs

General

Target

server.dll
Size

336KB
MD5

f6f15b210088e340c2f223ffb6894d12
SHA1

9edb31c56cc8befe1e41924f53cb96f9962c2328
SHA256

7a0e70c85d65c95a7c98a7f14eaaa9b9f59795add4abb6a09ff2d75fbf947e80
SHA512

b5b20f1e8f943bef8777b94c88d85a535c27563821bd62f68dace9b5e4842246a21eab33aa52f33eeb218bb098bc2197fc92eba058744834414879b22e360d53

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 22 IoCs

Processes:

msiexec.exe

flow	pid	process
18	4252	msiexec.exe
19	4252	msiexec.exe
20	4252	msiexec.exe
21	4252	msiexec.exe
22	4252	msiexec.exe
23	4252	msiexec.exe
25	4252	msiexec.exe
26	4252	msiexec.exe
27	4252	msiexec.exe
28	4252	msiexec.exe
29	4252	msiexec.exe
30	4252	msiexec.exe
32	4252	msiexec.exe
33	4252	msiexec.exe
34	4252	msiexec.exe
35	4252	msiexec.exe
36	4252	msiexec.exe
37	4252	msiexec.exe
39	4252	msiexec.exe
41	4252	msiexec.exe
43	4252	msiexec.exe
45	4252	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

regsvr32.exe

description pid process target process

PID 4872 set thread context of 4252 4872 regsvr32.exe msiexec.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

msiexec.exe

description pid process

Token: SeSecurityPrivilege 4252 msiexec.exe
Token: SeSecurityPrivilege 4252 msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 4712 wrote to memory of 4872	4712	regsvr32.exe	regsvr32.exe
PID 4712 wrote to memory of 4872	4712	regsvr32.exe	regsvr32.exe
PID 4712 wrote to memory of 4872	4712	regsvr32.exe	regsvr32.exe
PID 4872 wrote to memory of 4252	4872	regsvr32.exe	msiexec.exe
PID 4872 wrote to memory of 4252	4872	regsvr32.exe	msiexec.exe
PID 4872 wrote to memory of 4252	4872	regsvr32.exe	msiexec.exe
PID 4872 wrote to memory of 4252	4872	regsvr32.exe	msiexec.exe
PID 4872 wrote to memory of 4252	4872	regsvr32.exe	msiexec.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\server.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4712

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\server.dll
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4872

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
3⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:4252

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4252-5-0x0000000000000000-mapping.dmp

Download
memory/4252-6-0x00000000023B0000-0x00000000023D9000-memory.dmp

Filesize
164KB

Download
memory/4872-2-0x0000000000000000-mapping.dmp

Download
memory/4872-3-0x0000000074350000-0x0000000074379000-memory.dmp

Filesize
164KB

Download
memory/4872-4-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download