Resubmissions
25-07-2022 08:34
220725-kgh6wabefn 10Analysis
-
max time kernel
94s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
25-07-2022 08:34
Behavioral task
behavioral1
Sample
trespay.dll
Resource
win7-20220715-en
windows7-x64
1 signatures
150 seconds
General
-
Target
trespay.dll
-
Size
126KB
-
MD5
3e8576445e163033b0d47403223270eb
-
SHA1
b516e6ce199b43d997eac2f3a41d537997e103ef
-
SHA256
f161a836afdfcf9341cae1cc806404ff178b061266e71e587117b987ed36029d
-
SHA512
1c147b9c0ad43eeb8ea66e98c7186c5fea8a030cc2d0b92a87c1b7a14254fb5c8a996ec0a530fa91923601f8af4cc6130b12737173b9e74d52357d57ff3fea4f
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1760 2480 WerFault.exe regsvr32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
regsvr32.exedescription pid process target process PID 4268 wrote to memory of 2480 4268 regsvr32.exe regsvr32.exe PID 4268 wrote to memory of 2480 4268 regsvr32.exe regsvr32.exe PID 4268 wrote to memory of 2480 4268 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\trespay.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\trespay.dll2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 6043⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2480 -ip 24801⤵