8fd7c81d43f8469246321a90b8d4f7f7fd72beb01105241536f9a058f4a7f990

Analysis

max time kernel
4294211s
max time network
121s
platform
windows7_x64
resource
win7-20220311-en
submitted
27-03-2022 10:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8fd7c81d43f8469246321a90b8d4f7f7fd72beb01105241536f9a058f4a7f990.dll
Size

557KB
MD5

c2fba37cf1416e0f9b29b8fbd54d5374
SHA1

3761b6fe71d30ba3a2c9dfd87de851da4158f144
SHA256

8fd7c81d43f8469246321a90b8d4f7f7fd72beb01105241536f9a058f4a7f990
SHA512

405648da26330a273a21de4fe6427610028e47cebf03bd143f78da9c02dd07347ffae418d29e1968606c51bfac57ecb34f872187559e2804e1f00fe1f76615a8

Score

1^/10

Malware Config

Signatures

Runs net.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
872	regsvr32.exe

Suspicious use of WriteProcessMemory 55 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 872	1460	regsvr32.exe	27
PID 1460 wrote to memory of 872	1460	regsvr32.exe	27
PID 1460 wrote to memory of 872	1460	regsvr32.exe	27
PID 1460 wrote to memory of 872	1460	regsvr32.exe	27
PID 1460 wrote to memory of 872	1460	regsvr32.exe	27
PID 1460 wrote to memory of 872	1460	regsvr32.exe	27
PID 1460 wrote to memory of 872	1460	regsvr32.exe	27
PID 872 wrote to memory of 1248	872	regsvr32.exe	30
PID 872 wrote to memory of 1248	872	regsvr32.exe	30
PID 872 wrote to memory of 1248	872	regsvr32.exe	30
PID 872 wrote to memory of 1248	872	regsvr32.exe	30
PID 1248 wrote to memory of 1468	1248	cmd.exe	32
PID 1248 wrote to memory of 1468	1248	cmd.exe	32
PID 1248 wrote to memory of 1468	1248	cmd.exe	32
PID 1248 wrote to memory of 1468	1248	cmd.exe	32
PID 1468 wrote to memory of 928	1468	net.exe	33
PID 1468 wrote to memory of 928	1468	net.exe	33
PID 1468 wrote to memory of 928	1468	net.exe	33
PID 1468 wrote to memory of 928	1468	net.exe	33
PID 872 wrote to memory of 1308	872	regsvr32.exe	34
PID 872 wrote to memory of 1308	872	regsvr32.exe	34
PID 872 wrote to memory of 1308	872	regsvr32.exe	34
PID 872 wrote to memory of 1308	872	regsvr32.exe	34
PID 1308 wrote to memory of 432	1308	cmd.exe	36
PID 1308 wrote to memory of 432	1308	cmd.exe	36
PID 1308 wrote to memory of 432	1308	cmd.exe	36
PID 1308 wrote to memory of 432	1308	cmd.exe	36
PID 432 wrote to memory of 1664	432	net.exe	37
PID 432 wrote to memory of 1664	432	net.exe	37
PID 432 wrote to memory of 1664	432	net.exe	37
PID 432 wrote to memory of 1664	432	net.exe	37
PID 872 wrote to memory of 1808	872	regsvr32.exe	38
PID 872 wrote to memory of 1808	872	regsvr32.exe	38
PID 872 wrote to memory of 1808	872	regsvr32.exe	38
PID 872 wrote to memory of 1808	872	regsvr32.exe	38
PID 1808 wrote to memory of 1520	1808	cmd.exe	40
PID 1808 wrote to memory of 1520	1808	cmd.exe	40
PID 1808 wrote to memory of 1520	1808	cmd.exe	40
PID 1808 wrote to memory of 1520	1808	cmd.exe	40
PID 1520 wrote to memory of 1508	1520	net.exe	41
PID 1520 wrote to memory of 1508	1520	net.exe	41
PID 1520 wrote to memory of 1508	1520	net.exe	41
PID 1520 wrote to memory of 1508	1520	net.exe	41
PID 872 wrote to memory of 1692	872	regsvr32.exe	42
PID 872 wrote to memory of 1692	872	regsvr32.exe	42
PID 872 wrote to memory of 1692	872	regsvr32.exe	42
PID 872 wrote to memory of 1692	872	regsvr32.exe	42
PID 1692 wrote to memory of 1532	1692	cmd.exe	44
PID 1692 wrote to memory of 1532	1692	cmd.exe	44
PID 1692 wrote to memory of 1532	1692	cmd.exe	44
PID 1692 wrote to memory of 1532	1692	cmd.exe	44
PID 1532 wrote to memory of 1184	1532	net.exe	45
PID 1532 wrote to memory of 1184	1532	net.exe	45
PID 1532 wrote to memory of 1184	1532	net.exe	45
PID 1532 wrote to memory of 1184	1532	net.exe	45

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\8fd7c81d43f8469246321a90b8d4f7f7fd72beb01105241536f9a058f4a7f990.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\8fd7c81d43f8469246321a90b8d4f7f7fd72beb01105241536f9a058f4a7f990.dll
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:872
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c net stop "SQLsafe Backup Service" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1248
  - - C:\Windows\SysWOW64\net.exe
      net stop "SQLsafe Backup Service" /y
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1468
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y
        5⤵
        
        PID:928
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c net stop "SQLsafe Filter Service" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1308
  - - C:\Windows\SysWOW64\net.exe
      net stop "SQLsafe Filter Service" /y
      4⤵
      Suspicious use of WriteProcessMemory
      PID:432
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y
        5⤵
        
        PID:1664
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c net stop MSOLAP$SQL_2008 /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1808
  - - C:\Windows\SysWOW64\net.exe
      net stop MSOLAP$SQL_2008 /y
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1520
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
        5⤵
        
        PID:1508
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c net stop MSSQL$BKUPEXEC /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1692
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$BKUPEXEC /y
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1532
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
        5⤵
        
        PID:1184

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/872-58-0x0000000000190000-0x00000000001BD000-memory.dmp

Filesize
180KB

Download
memory/872-56-0x0000000075C41000-0x0000000075C43000-memory.dmp

Filesize
8KB

Download
memory/1460-54-0x000007FEFC2F1000-0x000007FEFC2F3000-memory.dmp

Filesize
8KB

Download