Analysis
-
max time kernel
71s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
04-03-2021 03:30
Behavioral task
behavioral1
Sample
cf8e50db2ca682dbc80110f394aa4bbd7b59a60ac6e981dcaab607d09b7f01e8.dll
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
cf8e50db2ca682dbc80110f394aa4bbd7b59a60ac6e981dcaab607d09b7f01e8.dll
-
Size
183KB
-
MD5
d21ed162fd0252e22f31cf7a9cae5540
-
SHA1
abe719477bf2f69765f401b400759cb71117bff7
-
SHA256
cf8e50db2ca682dbc80110f394aa4bbd7b59a60ac6e981dcaab607d09b7f01e8
-
SHA512
8751aa81aa6d53ae9e2fc0424d957a39a365ccba0680e18f0702eab26e48e317a0ca35d61f49197f59c24cc00893d91e06e34568fb5454f80b9c94dd3bc10a68
Malware Config
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
regsvr32.exedescription pid process target process PID 1732 set thread context of 200 1732 regsvr32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 200 msiexec.exe Token: SeSecurityPrivilege 200 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
regsvr32.exeregsvr32.exedescription pid process target process PID 416 wrote to memory of 1732 416 regsvr32.exe regsvr32.exe PID 416 wrote to memory of 1732 416 regsvr32.exe regsvr32.exe PID 416 wrote to memory of 1732 416 regsvr32.exe regsvr32.exe PID 1732 wrote to memory of 200 1732 regsvr32.exe msiexec.exe PID 1732 wrote to memory of 200 1732 regsvr32.exe msiexec.exe PID 1732 wrote to memory of 200 1732 regsvr32.exe msiexec.exe PID 1732 wrote to memory of 200 1732 regsvr32.exe msiexec.exe PID 1732 wrote to memory of 200 1732 regsvr32.exe msiexec.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\cf8e50db2ca682dbc80110f394aa4bbd7b59a60ac6e981dcaab607d09b7f01e8.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\cf8e50db2ca682dbc80110f394aa4bbd7b59a60ac6e981dcaab607d09b7f01e8.dll2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Suspicious use of AdjustPrivilegeToken