Analysis
-
max time kernel
34s -
max time network
118s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 19:27
Static task
static1
Behavioral task
behavioral1
Sample
file.dll
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
file.dll
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
file.dll
-
Size
166KB
-
MD5
17571a5ec4f465399a653c404df6c6a7
-
SHA1
1f74c7ce841db9e7f840bdf4d6d8beb2cd3967b6
-
SHA256
c867959e7f75f00eb11dae861bb9c198421215bb10f88e0c26e3c36aa93bd17a
-
SHA512
5d3f2574633d99b59e8cdc5530c42c0e4118ae13c8f7f28fc1b879f3923cc04e06f7811d4f7909738220f190c1c647cab3d140eec7da9a96d3e336523c06f39b
Score
10/10
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 1840 created 3876 1840 WerFault.exe rundll32.exe -
ServiceHost packer 6 IoCs
Detects ServiceHost packer used for .NET malware
Processes:
resource yara_rule behavioral2/memory/3876-3-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/3876-4-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/3876-5-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/3876-6-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/3876-2-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/3876-7-0x0000000000000000-mapping.dmp servicehost -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1840 3876 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 1840 WerFault.exe 1840 WerFault.exe 1840 WerFault.exe 1840 WerFault.exe 1840 WerFault.exe 1840 WerFault.exe 1840 WerFault.exe 1840 WerFault.exe 1840 WerFault.exe 1840 WerFault.exe 1840 WerFault.exe 1840 WerFault.exe 1840 WerFault.exe 1840 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1840 WerFault.exe Token: SeBackupPrivilege 1840 WerFault.exe Token: SeDebugPrivilege 1840 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3904 wrote to memory of 3876 3904 rundll32.exe rundll32.exe PID 3904 wrote to memory of 3876 3904 rundll32.exe rundll32.exe PID 3904 wrote to memory of 3876 3904 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\file.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\file.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 8763⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1840-1-0x0000000004A20000-0x0000000004A21000-memory.dmpFilesize
4KB
-
memory/1840-8-0x0000000005610000-0x0000000005611000-memory.dmpFilesize
4KB
-
memory/3876-0-0x0000000000000000-mapping.dmp
-
memory/3876-3-0x0000000000000000-mapping.dmp
-
memory/3876-4-0x0000000000000000-mapping.dmp
-
memory/3876-5-0x0000000000000000-mapping.dmp
-
memory/3876-6-0x0000000000000000-mapping.dmp
-
memory/3876-2-0x0000000000000000-mapping.dmp
-
memory/3876-7-0x0000000000000000-mapping.dmp