Analysis
-
max time kernel
9s -
max time network
11s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
09-09-2020 12:25
Static task
static1
Behavioral task
behavioral1
Sample
dc475e00d9bc4e94ab1d528a5540e67d.exe
Resource
win7v200722
windows7_x64
0 signatures
0 seconds
General
-
Target
dc475e00d9bc4e94ab1d528a5540e67d.exe
-
Size
371KB
-
MD5
dc475e00d9bc4e94ab1d528a5540e67d
-
SHA1
348dbddf7b7c0488f25afb5c8f0ec312f7813fee
-
SHA256
bc36c8d0ca400dd8e12f7d5af0569c24f549305697b46804fa700edf573884fb
-
SHA512
c992aa79f057e9169b259cabe3ede64fba606f7434e496cc0c910211a5f8ba0cb67784a6a14827bd67ceb3897156add1ce2a59a00cad8e9a24e24a210f118486
Score
7/10
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 1928 rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1576 1928 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 1576 WerFault.exe 1576 WerFault.exe 1576 WerFault.exe 1576 WerFault.exe 1576 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1576 WerFault.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
dc475e00d9bc4e94ab1d528a5540e67d.exerundll32.exedescription pid process target process PID 540 wrote to memory of 1928 540 dc475e00d9bc4e94ab1d528a5540e67d.exe rundll32.exe PID 540 wrote to memory of 1928 540 dc475e00d9bc4e94ab1d528a5540e67d.exe rundll32.exe PID 540 wrote to memory of 1928 540 dc475e00d9bc4e94ab1d528a5540e67d.exe rundll32.exe PID 540 wrote to memory of 1928 540 dc475e00d9bc4e94ab1d528a5540e67d.exe rundll32.exe PID 540 wrote to memory of 1928 540 dc475e00d9bc4e94ab1d528a5540e67d.exe rundll32.exe PID 540 wrote to memory of 1928 540 dc475e00d9bc4e94ab1d528a5540e67d.exe rundll32.exe PID 540 wrote to memory of 1928 540 dc475e00d9bc4e94ab1d528a5540e67d.exe rundll32.exe PID 1928 wrote to memory of 1576 1928 rundll32.exe WerFault.exe PID 1928 wrote to memory of 1576 1928 rundll32.exe WerFault.exe PID 1928 wrote to memory of 1576 1928 rundll32.exe WerFault.exe PID 1928 wrote to memory of 1576 1928 rundll32.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc475e00d9bc4e94ab1d528a5540e67d.exe"C:\Users\Admin\AppData\Local\Temp\dc475e00d9bc4e94ab1d528a5540e67d.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe Draughtboard,Hurley2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 2283⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Bagpipe
-
C:\Users\Admin\AppData\Local\Temp\Draughtboard.DLL
-
\Users\Admin\AppData\Local\Temp\Draughtboard.dll
-
memory/1576-4-0x0000000000000000-mapping.dmp
-
memory/1576-5-0x0000000001EE0000-0x0000000001EF1000-memory.dmpFilesize
68KB
-
memory/1576-7-0x00000000024C0000-0x00000000024D1000-memory.dmpFilesize
68KB
-
memory/1928-0-0x0000000000000000-mapping.dmp
-
memory/1928-6-0x0000000000000000-mapping.dmp