Analysis
-
max time kernel
135s -
max time network
143s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
04-07-2020 08:04
Static task
static1
Behavioral task
behavioral1
Sample
3599f01a6162db10307b75c7132c06db.dll
Resource
win7
windows7_x64
0 signatures
0 seconds
General
-
Target
3599f01a6162db10307b75c7132c06db.dll
-
Size
634KB
-
MD5
3599f01a6162db10307b75c7132c06db
-
SHA1
363a23608cccc5d39393c51eb9570e624aef8558
-
SHA256
3326d4607b164078735ee55313992c18e83e6b87b75faf350b8c61a99eb2b659
-
SHA512
c63566de21e4aba265ae80a51f56a9622e4bdac40430b477d269304f6793f062742728ebf4ba9457cf48c3d9bd654b81d48fbec7f1b304392f51d14efa1ebafd
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 2248 created 4008 2248 WerFault.exe rundll32.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 4008 created 2984 4008 rundll32.exe Explorer.EXE -
ServiceHost packer 1 IoCs
Detects ServiceHost packer used for .NET malware
Processes:
resource yara_rule behavioral2/memory/4008-4-0x0000000000000000-mapping.dmp servicehost -
Blacklisted process makes network request 17 IoCs
Processes:
msiexec.exeflow pid process 8 8 msiexec.exe 9 8 msiexec.exe 10 8 msiexec.exe 11 8 msiexec.exe 12 8 msiexec.exe 13 8 msiexec.exe 15 8 msiexec.exe 17 8 msiexec.exe 19 8 msiexec.exe 21 8 msiexec.exe 22 8 msiexec.exe 24 8 msiexec.exe 26 8 msiexec.exe 28 8 msiexec.exe 30 8 msiexec.exe 32 8 msiexec.exe 34 8 msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 4008 set thread context of 8 4008 rundll32.exe msiexec.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2248 4008 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
rundll32.exeWerFault.exepid process 4008 rundll32.exe 4008 rundll32.exe 2248 WerFault.exe 2248 WerFault.exe 2248 WerFault.exe 2248 WerFault.exe 2248 WerFault.exe 2248 WerFault.exe 2248 WerFault.exe 2248 WerFault.exe 2248 WerFault.exe 2248 WerFault.exe 2248 WerFault.exe 2248 WerFault.exe 2248 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
rundll32.exeWerFault.exemsiexec.exedescription pid process Token: SeDebugPrivilege 4008 rundll32.exe Token: SeRestorePrivilege 2248 WerFault.exe Token: SeBackupPrivilege 2248 WerFault.exe Token: SeDebugPrivilege 2248 WerFault.exe Token: SeSecurityPrivilege 8 msiexec.exe Token: SeSecurityPrivilege 8 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1516 wrote to memory of 4008 1516 rundll32.exe rundll32.exe PID 1516 wrote to memory of 4008 1516 rundll32.exe rundll32.exe PID 1516 wrote to memory of 4008 1516 rundll32.exe rundll32.exe PID 4008 wrote to memory of 8 4008 rundll32.exe msiexec.exe PID 4008 wrote to memory of 8 4008 rundll32.exe msiexec.exe PID 4008 wrote to memory of 8 4008 rundll32.exe msiexec.exe PID 4008 wrote to memory of 8 4008 rundll32.exe msiexec.exe PID 4008 wrote to memory of 8 4008 rundll32.exe msiexec.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3599f01a6162db10307b75c7132c06db.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3599f01a6162db10307b75c7132c06db.dll,#13⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 5964⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe2⤵
- Blacklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/8-1-0x0000000002DC0000-0x0000000002DEC000-memory.dmpFilesize
176KB
-
memory/8-2-0x0000000000000000-mapping.dmp
-
memory/2248-3-0x0000000004AD0000-0x0000000004AD1000-memory.dmpFilesize
4KB
-
memory/2248-5-0x00000000053D0000-0x00000000053D1000-memory.dmpFilesize
4KB
-
memory/4008-0-0x0000000000000000-mapping.dmp
-
memory/4008-4-0x0000000000000000-mapping.dmp