341a30be185f9984fc4fb3328b8846f97499259f35a6d98abe32532b2c2516af

Analysis

Target

[Dev] ¿áQ Air [ÕýÊ½°æ]/¿áQ Air/bin/zlib1.dll
Size

105KB
MD5

b8a9e91134e7c89440a0f95470d5e47b
SHA1

3cbcee30fc0a7e9807931bc0dafceb627042bfc9
SHA256

42967a768f341d9ce5174eb38a4d63754c3c41739e7d88f4e39cd7354c1fac71
SHA512

e8583ea94b9d1321889359317e367abc88e90e96d0d9243258244a527ffa2b13ab97d0787693ca328960ceb934ea11eefd14abafd640a654473c26e420d2ec54

Score

9^/10

Suspicious use of AdjustPrivilegeToken 3 IoCs

Suspicious behavior: EnumeratesProcesses 13 IoCs

ServiceHost packer 2 IoCs

Detects ServiceHost packer used for .NET malware

resource	yara_rule
behavioral8/memory/3216-2-0x0000000000000000-mapping.dmp	servicehost
behavioral8/memory/3216-3-0x0000000000000000-mapping.dmp	servicehost

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3828 wrote to memory of 3216	3828	rundll32.exe	67
PID 3828 wrote to memory of 3216	3828	rundll32.exe	67
PID 3828 wrote to memory of 3216	3828	rundll32.exe	67

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3940	3216	WerFault.exe	67

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\[Dev] ¿áQ Air [ÕýÊ½°æ]\¿áQ Air\bin\zlib1.dll",#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3828
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\[Dev] ¿áQ Air [ÕýÊ½°æ]\¿áQ Air\bin\zlib1.dll",#1
  2⤵
  PID:3216
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 616
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious behavior: EnumeratesProcesses
    - Program crash
    PID:3940

memory/3940-1-0x0000000004700000-0x0000000004701000-memory.dmp

Filesize
4KB

Download
memory/3940-4-0x00000000047F0000-0x00000000047F1000-memory.dmp

Filesize
4KB

Download