8c19669b6ea804b0f3d63a285e115a01084efffc9501c31b0b09d79cadba34e6 | Triage

Analysis

max time kernel
73s
max time network
121s
platform
windows10_x64
resource
win10v20201028
submitted
10-03-2021 11:20

Sharing

Report Analysis Logs

General

Target

qUDLf.dll
Size

300KB
MD5

35377178edc832c00f9b8f04c961e1fd
SHA1

ca363d13d681ba404101b76acf8bc7ae518c149a
SHA256

8c19669b6ea804b0f3d63a285e115a01084efffc9501c31b0b09d79cadba34e6
SHA512

7bc01e2219fddddb480ba64521002e392eddd17f0f0a43249c5fd13205dde0f8a1e777e23bf266697b70cb077534d672ce81afdbb78a61996174d73fda6c562a

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 15 IoCs

Processes:

msiexec.exe

flow	pid	process
22	1608	msiexec.exe
23	1608	msiexec.exe
24	1608	msiexec.exe
25	1608	msiexec.exe
26	1608	msiexec.exe
27	1608	msiexec.exe
29	1608	msiexec.exe
31	1608	msiexec.exe
33	1608	msiexec.exe
34	1608	msiexec.exe
37	1608	msiexec.exe
38	1608	msiexec.exe
39	1608	msiexec.exe
40	1608	msiexec.exe
42	1608	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

regsvr32.exe

description pid process target process

PID 3808 set thread context of 1608 3808 regsvr32.exe msiexec.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

msiexec.exe

description pid process

Token: SeSecurityPrivilege 1608 msiexec.exe
Token: SeSecurityPrivilege 1608 msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 3976 wrote to memory of 3808	3976	regsvr32.exe	regsvr32.exe
PID 3976 wrote to memory of 3808	3976	regsvr32.exe	regsvr32.exe
PID 3976 wrote to memory of 3808	3976	regsvr32.exe	regsvr32.exe
PID 3808 wrote to memory of 1608	3808	regsvr32.exe	msiexec.exe
PID 3808 wrote to memory of 1608	3808	regsvr32.exe	msiexec.exe
PID 3808 wrote to memory of 1608	3808	regsvr32.exe	msiexec.exe
PID 3808 wrote to memory of 1608	3808	regsvr32.exe	msiexec.exe
PID 3808 wrote to memory of 1608	3808	regsvr32.exe	msiexec.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\qUDLf.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:3976

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\qUDLf.dll
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3808

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
3⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:1608

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1608-5-0x0000000000000000-mapping.dmp

Download
memory/1608-6-0x0000000003050000-0x0000000003079000-memory.dmp

Filesize
164KB

Download
memory/3808-2-0x0000000000000000-mapping.dmp

Download
memory/3808-3-0x0000000073CE0000-0x0000000073D09000-memory.dmp

Filesize
164KB

Download
memory/3808-4-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download