341a30be185f9984fc4fb3328b8846f97499259f35a6d98abe32532b2c2516af | Triage

Analysis

max time kernel
141s
max time network
144s
platform
windows10_x64
resource
win10
submitted
07-08-2020 18:38

Sharing

Report Analysis Logs

General

Target

[Dev] ¿áQ Air [ÕýÊ½°æ]/¿áQ Air/bin/zlib1.dll
Size

105KB
MD5

b8a9e91134e7c89440a0f95470d5e47b
SHA1

3cbcee30fc0a7e9807931bc0dafceb627042bfc9
SHA256

42967a768f341d9ce5174eb38a4d63754c3c41739e7d88f4e39cd7354c1fac71
SHA512

e8583ea94b9d1321889359317e367abc88e90e96d0d9243258244a527ffa2b13ab97d0787693ca328960ceb934ea11eefd14abafd640a654473c26e420d2ec54

Score

9^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3940 WerFault.exe
Token: SeBackupPrivilege 3940 WerFault.exe
Token: SeDebugPrivilege 3940 WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
3940	WerFault.exe
3940	WerFault.exe
3940	WerFault.exe
3940	WerFault.exe
3940	WerFault.exe
3940	WerFault.exe
3940	WerFault.exe
3940	WerFault.exe
3940	WerFault.exe
3940	WerFault.exe
3940	WerFault.exe
3940	WerFault.exe
3940	WerFault.exe

ServiceHost packer 2 IoCs

Detects ServiceHost packer used for .NET malware

Processes:

resource	yara_rule
behavioral8/memory/3216-2-0x0000000000000000-mapping.dmp	servicehost
behavioral8/memory/3216-3-0x0000000000000000-mapping.dmp	servicehost

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3828 wrote to memory of 3216	3828	rundll32.exe	rundll32.exe
PID 3828 wrote to memory of 3216	3828	rundll32.exe	rundll32.exe
PID 3828 wrote to memory of 3216	3828	rundll32.exe	rundll32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3940 3216 WerFault.exe rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\[Dev] ¿áQ Air [ÕýÊ½°æ]\¿áQ Air\bin\zlib1.dll",#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3828

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\[Dev] ¿áQ Air [ÕýÊ½°æ]\¿áQ Air\bin\zlib1.dll",#1
2⤵
PID:3216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 616
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Program crash
PID:3940

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3216-0-0x0000000000000000-mapping.dmp

Download
memory/3216-2-0x0000000000000000-mapping.dmp

Download
memory/3216-3-0x0000000000000000-mapping.dmp

Download
memory/3940-1-0x0000000004700000-0x0000000004701000-memory.dmp

Filesize
4KB

Download
memory/3940-4-0x00000000047F0000-0x00000000047F1000-memory.dmp

Filesize
4KB

Download