Analysis
-
max time kernel
73s -
max time network
121s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
10-03-2021 11:20
Static task
static1
Behavioral task
behavioral1
Sample
qUDLf.dll
Resource
win7v20201028
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
qUDLf.dll
Resource
win10v20201028
0 signatures
0 seconds
General
-
Target
qUDLf.dll
-
Size
300KB
-
MD5
35377178edc832c00f9b8f04c961e1fd
-
SHA1
ca363d13d681ba404101b76acf8bc7ae518c149a
-
SHA256
8c19669b6ea804b0f3d63a285e115a01084efffc9501c31b0b09d79cadba34e6
-
SHA512
7bc01e2219fddddb480ba64521002e392eddd17f0f0a43249c5fd13205dde0f8a1e777e23bf266697b70cb077534d672ce81afdbb78a61996174d73fda6c562a
Score
8/10
Malware Config
Signatures
-
Blocklisted process makes network request 15 IoCs
Processes:
msiexec.exeflow pid process 22 1608 msiexec.exe 23 1608 msiexec.exe 24 1608 msiexec.exe 25 1608 msiexec.exe 26 1608 msiexec.exe 27 1608 msiexec.exe 29 1608 msiexec.exe 31 1608 msiexec.exe 33 1608 msiexec.exe 34 1608 msiexec.exe 37 1608 msiexec.exe 38 1608 msiexec.exe 39 1608 msiexec.exe 40 1608 msiexec.exe 42 1608 msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
regsvr32.exedescription pid process target process PID 3808 set thread context of 1608 3808 regsvr32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 1608 msiexec.exe Token: SeSecurityPrivilege 1608 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
regsvr32.exeregsvr32.exedescription pid process target process PID 3976 wrote to memory of 3808 3976 regsvr32.exe regsvr32.exe PID 3976 wrote to memory of 3808 3976 regsvr32.exe regsvr32.exe PID 3976 wrote to memory of 3808 3976 regsvr32.exe regsvr32.exe PID 3808 wrote to memory of 1608 3808 regsvr32.exe msiexec.exe PID 3808 wrote to memory of 1608 3808 regsvr32.exe msiexec.exe PID 3808 wrote to memory of 1608 3808 regsvr32.exe msiexec.exe PID 3808 wrote to memory of 1608 3808 regsvr32.exe msiexec.exe PID 3808 wrote to memory of 1608 3808 regsvr32.exe msiexec.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\qUDLf.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\qUDLf.dll2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1608-5-0x0000000000000000-mapping.dmp
-
memory/1608-6-0x0000000003050000-0x0000000003079000-memory.dmpFilesize
164KB
-
memory/3808-2-0x0000000000000000-mapping.dmp
-
memory/3808-3-0x0000000073CE0000-0x0000000073D09000-memory.dmpFilesize
164KB
-
memory/3808-4-0x0000000000A50000-0x0000000000A51000-memory.dmpFilesize
4KB