4365afc176d3351b932fd109b667523ed6f9cadbbd1681dee3f3ed863f331267 | Triage

Analysis

max time kernel
147s
max time network
147s
platform
windows10_x64
resource
win10v20201028
submitted
03-03-2021 02:04

Sharing

Report Analysis Logs

General

Target

10ec4e9f67028d2bf9f5e42cb2918663436e21760a5f1e08950b19ac2745e48c.dll
Size

344KB
MD5

0358fcd58c56d6cedec03b80c64ff988
SHA1

34816e94bf4cc91c3c8bd6a8c087f6592ab28e96
SHA256

10ec4e9f67028d2bf9f5e42cb2918663436e21760a5f1e08950b19ac2745e48c
SHA512

677e4d1c61cfb19ca47c11d3fbfbc68f546ee5095e89075b76ba9c4b7b42ebe4f920ce0ff6b4174ce33fc87f97c398a757203c406413423751b8caa1d9d2248a

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 16 IoCs

Processes:

msiexec.exe

flow	pid	process
15	1364	msiexec.exe
16	1364	msiexec.exe
17	1364	msiexec.exe
18	1364	msiexec.exe
19	1364	msiexec.exe
20	1364	msiexec.exe
22	1364	msiexec.exe
23	1364	msiexec.exe
24	1364	msiexec.exe
25	1364	msiexec.exe
26	1364	msiexec.exe
27	1364	msiexec.exe
29	1364	msiexec.exe
30	1364	msiexec.exe
31	1364	msiexec.exe
32	1364	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

regsvr32.exe

description pid process target process

PID 796 set thread context of 1364 796 regsvr32.exe msiexec.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

msiexec.exe

description pid process

Token: SeSecurityPrivilege 1364 msiexec.exe
Token: SeSecurityPrivilege 1364 msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 4052 wrote to memory of 796	4052	regsvr32.exe	regsvr32.exe
PID 4052 wrote to memory of 796	4052	regsvr32.exe	regsvr32.exe
PID 4052 wrote to memory of 796	4052	regsvr32.exe	regsvr32.exe
PID 796 wrote to memory of 1364	796	regsvr32.exe	msiexec.exe
PID 796 wrote to memory of 1364	796	regsvr32.exe	msiexec.exe
PID 796 wrote to memory of 1364	796	regsvr32.exe	msiexec.exe
PID 796 wrote to memory of 1364	796	regsvr32.exe	msiexec.exe
PID 796 wrote to memory of 1364	796	regsvr32.exe	msiexec.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\10ec4e9f67028d2bf9f5e42cb2918663436e21760a5f1e08950b19ac2745e48c.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4052

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\10ec4e9f67028d2bf9f5e42cb2918663436e21760a5f1e08950b19ac2745e48c.dll
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:796

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
3⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:1364

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/796-2-0x0000000000000000-mapping.dmp

Download
memory/796-3-0x0000000073BD0000-0x0000000073BF5000-memory.dmp

Filesize
148KB

Download
memory/796-4-0x0000000002BC0000-0x0000000002BC1000-memory.dmp

Filesize
4KB

Download
memory/1364-5-0x0000000000000000-mapping.dmp

Download
memory/1364-6-0x0000000002C00000-0x0000000002C25000-memory.dmp

Filesize
148KB

Download