Overview

overview

10

Static

static

10

file.dll

windows7_x64

1

file.dll

windows10_x64

10

Analysis

  • max time kernel
    34s
  • max time network
    118s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    09-11-2020 19:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.dll

  • Size

    166KB

  • MD5

    17571a5ec4f465399a653c404df6c6a7

  • SHA1

    1f74c7ce841db9e7f840bdf4d6d8beb2cd3967b6

  • SHA256

    c867959e7f75f00eb11dae861bb9c198421215bb10f88e0c26e3c36aa93bd17a

  • SHA512

    5d3f2574633d99b59e8cdc5530c42c0e4118ae13c8f7f28fc1b879f3923cc04e06f7811d4f7909738220f190c1c647cab3d140eec7da9a96d3e336523c06f39b

Score
10/10

Malware Config

Signatures

  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • ServiceHost packer 6 IoCs

    Detects ServiceHost packer used for .NET malware

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\file.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3904
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\file.dll,#1
      2⤵
        PID:3876
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 876
          3⤵
          • Suspicious use of NtCreateProcessExOtherParentProcess
          • Program crash
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1840

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1840-1-0x0000000004A20000-0x0000000004A21000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1840-8-0x0000000005610000-0x0000000005611000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3876-0-0x0000000000000000-mapping.dmp
      Download
    • memory/3876-3-0x0000000000000000-mapping.dmp
      Download
    • memory/3876-4-0x0000000000000000-mapping.dmp
      Download
    • memory/3876-5-0x0000000000000000-mapping.dmp
      Download
    • memory/3876-6-0x0000000000000000-mapping.dmp
      Download
    • memory/3876-2-0x0000000000000000-mapping.dmp
      Download
    • memory/3876-7-0x0000000000000000-mapping.dmp
      Download