3c9a4e32c17ea4546ffff39815cff84e0e760bdacb17e87d34f7e9c08532c07d

Resubmissions

09/11/2022, 18:23

09/11/2022, 18:22

09/11/2022, 18:17

28/10/2022, 09:42

28/10/2022, 09:33

28/10/2022, 09:23

max time kernel
150s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
28/10/2022, 09:42

Target

disallowable/staunchly.dll
Size

422KB
MD5

e9d9e1b1bb8b47e84448b4e6c91c8a70
SHA1

d1f91902916c2c7f5bb70dca73e0ca82205bbf68
SHA256

9eb14f1275869b04117098b4b6ef71c0ccf33366f96c9ca8f22b2132762eb6d0
SHA512

3fb05d0a65693233c34569bd8d24ef74eb62658c74309f79dda229504f33da123aa1305dc775a25690ffcf51ca9bd029cab21dc9d9a79bf4c0fc20a255ae6d52
SSDEEP

12288:eqdD/sblafl4M/8toGXJZ6diNjno8Ywr6t57AKC:eqdclafl4eGXuiNo8Ye6c

Score

1^/10

Suspicious behavior: EnumeratesProcesses 64 IoCs

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1848	regsvr32.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1088 wrote to memory of 1848	1088	regsvr32.exe	28
PID 1088 wrote to memory of 1848	1088	regsvr32.exe	28
PID 1088 wrote to memory of 1848	1088	regsvr32.exe	28
PID 1088 wrote to memory of 1848	1088	regsvr32.exe	28
PID 1088 wrote to memory of 1848	1088	regsvr32.exe	28
PID 1088 wrote to memory of 1848	1088	regsvr32.exe	28
PID 1088 wrote to memory of 1848	1088	regsvr32.exe	28
PID 1848 wrote to memory of 1216	1848	regsvr32.exe	29
PID 1848 wrote to memory of 1216	1848	regsvr32.exe	29
PID 1848 wrote to memory of 1216	1848	regsvr32.exe	29
PID 1848 wrote to memory of 1216	1848	regsvr32.exe	29
PID 1848 wrote to memory of 1216	1848	regsvr32.exe	29
PID 1848 wrote to memory of 1216	1848	regsvr32.exe	29

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\disallowable\staunchly.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\disallowable\staunchly.dll
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1848
- - C:\Windows\SysWOW64\wermgr.exe
    C:\Windows\SysWOW64\wermgr.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1216

memory/1088-54-0x000007FEFBE61000-0x000007FEFBE63000-memory.dmp

Filesize
8KB

Download
memory/1216-64-0x00000000000C0000-0x00000000000E9000-memory.dmp

Filesize
164KB

Download
memory/1216-65-0x00000000000C0000-0x00000000000E9000-memory.dmp

Filesize
164KB

Download
memory/1848-56-0x0000000075241000-0x0000000075243000-memory.dmp

Filesize
8KB

Download
memory/1848-57-0x0000000000200000-0x0000000000229000-memory.dmp

Filesize
164KB

Download
memory/1848-58-0x0000000000200000-0x0000000000229000-memory.dmp

Filesize
164KB

Download
memory/1848-59-0x0000000000190000-0x00000000001BB000-memory.dmp

Filesize
172KB

Download
memory/1848-60-0x0000000000200000-0x0000000000280000-memory.dmp

Filesize
512KB

Download
memory/1848-63-0x0000000000200000-0x0000000000229000-memory.dmp

Filesize
164KB

Download