Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
28/10/2022, 08:11
Static task
static1
Behavioral task
behavioral1
Sample
Details.lnk
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral2
Sample
Details.lnk
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
disallowable/beached.cmd
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral4
Sample
disallowable/beached.cmd
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
disallowable/lathered.dll
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral6
Sample
disallowable/lathered.dll
Resource
win10v2004-20220901-en
windows10-2004-x64
General
-
Target
disallowable/lathered.dll
-
Size
422KB
-
MD5
0d1e0b675c2d011dcfc50d8f32be384c
-
SHA1
0b58740268ce9dec99972000115a84d28a88f07f
-
SHA256
f7b52dd58ca45a89769c61c6bb2fdcea5c68c1fe2b43578b4678c979cc106a1b
-
SHA512
08b296caa57ea788892ab8b802efecc5e16f03c6077fa5dfed574c06c31ac6e474503089d7df74a4284998cdfb69df8142d98be7c8b996a41a0cb6c93c3b26b8
-
SSDEEP
12288:eqdD/sblafl4M/8toGXJZ6diNjTo8Ywr6t57AKC:eqdclafl4eGXuiNk8Ye6c
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1796 regsvr32.exe 1796 regsvr32.exe 2664 wermgr.exe 2664 wermgr.exe 2664 wermgr.exe 2664 wermgr.exe 2664 wermgr.exe 2664 wermgr.exe 2664 wermgr.exe 2664 wermgr.exe 2664 wermgr.exe 2664 wermgr.exe 2664 wermgr.exe 2664 wermgr.exe 2664 wermgr.exe 2664 wermgr.exe 2664 wermgr.exe 2664 wermgr.exe 2664 wermgr.exe 2664 wermgr.exe 2664 wermgr.exe 2664 wermgr.exe 2664 wermgr.exe 2664 wermgr.exe 2664 wermgr.exe 2664 wermgr.exe 2664 wermgr.exe 2664 wermgr.exe 2664 wermgr.exe 2664 wermgr.exe 2664 wermgr.exe 2664 wermgr.exe 2664 wermgr.exe 2664 wermgr.exe 2664 wermgr.exe 2664 wermgr.exe 2664 wermgr.exe 2664 wermgr.exe 2664 wermgr.exe 2664 wermgr.exe 2664 wermgr.exe 2664 wermgr.exe 2664 wermgr.exe 2664 wermgr.exe 2664 wermgr.exe 2664 wermgr.exe 2664 wermgr.exe 2664 wermgr.exe 2664 wermgr.exe 2664 wermgr.exe 2664 wermgr.exe 2664 wermgr.exe 2664 wermgr.exe 2664 wermgr.exe 2664 wermgr.exe 2664 wermgr.exe 2664 wermgr.exe 2664 wermgr.exe 2664 wermgr.exe 2664 wermgr.exe 2664 wermgr.exe 2664 wermgr.exe 2664 wermgr.exe 2664 wermgr.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1796 regsvr32.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4512 wrote to memory of 1796 4512 regsvr32.exe 82 PID 4512 wrote to memory of 1796 4512 regsvr32.exe 82 PID 4512 wrote to memory of 1796 4512 regsvr32.exe 82 PID 1796 wrote to memory of 2664 1796 regsvr32.exe 86 PID 1796 wrote to memory of 2664 1796 regsvr32.exe 86 PID 1796 wrote to memory of 2664 1796 regsvr32.exe 86 PID 1796 wrote to memory of 2664 1796 regsvr32.exe 86 PID 1796 wrote to memory of 2664 1796 regsvr32.exe 86
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\disallowable\lathered.dll1⤵
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\disallowable\lathered.dll2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2664
-
-