Analysis

  • max time kernel
    108s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    01-02-2022 11:03

General

  • Target

    011e3dafb77a9d5c25b69c12e6b8318e9cce8b4b41defa49a19ff5abee8bff50.dll

  • Size

    38KB

  • MD5

    3752db2b889a2df668fc80ddc7799bac

  • SHA1

    c45574f6681ce6c3a7c3984472f4558c50d0a968

  • SHA256

    011e3dafb77a9d5c25b69c12e6b8318e9cce8b4b41defa49a19ff5abee8bff50

  • SHA512

    9ce281f7004b01e847564f6320e3be1ced6779164b8200d2a3450efcf982134cfc4ee2decb6a531ad83f8bae7f9c4ec06bf04f39bdbda4689194c973b77b6f3f

Score
8/10

Malware Config

Signatures

  • Sets service image path in registry 2 TTPs
  • Modifies data under HKEY_USERS 41 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\011e3dafb77a9d5c25b69c12e6b8318e9cce8b4b41defa49a19ff5abee8bff50.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2172
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\011e3dafb77a9d5c25b69c12e6b8318e9cce8b4b41defa49a19ff5abee8bff50.dll
      2⤵
        PID:1128
    • C:\Windows\System32\WaaSMedicAgent.exe
      C:\Windows\System32\WaaSMedicAgent.exe 0d85c3ee7d5d18d143b0beb8c24f4c07 Z0ba7Q1OAEyu1wgVw9aMDg.0.1.0.0.0
      1⤵
      • Modifies data under HKEY_USERS
      PID:3320

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Defense Evasion

    Modify Registry

    1
    T1112

    Replay Monitor

    Loading Replay Monitor...

    Downloads