Analysis
-
max time kernel
39s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 20:13
Static task
static1
Behavioral task
behavioral1
Sample
lfahe1.cab.dll
Resource
win7v20201028
General
-
Target
lfahe1.cab.dll
-
Size
523KB
-
MD5
4f74df55ff11ae52b59a5ae086593347
-
SHA1
b0f465a36e86e11ce00756e7e81b679bd9f98c29
-
SHA256
de342d1a4e8dd15037b9b5e859bb57e2e8db8987957cc232ce545db5610ce0e3
-
SHA512
4a0bd09d0428a0df5a675d74d2fe40e4c05c74a78bd34dcb1bb5dd23f1da70e0ee2ac0f4de04cb8c19478065835c90b8e9373579c054786c98ef3896d772a3e2
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 2456 created 1192 2456 WerFault.exe rundll32.exe -
Valak JavaScript Loader 2 IoCs
Processes:
resource yara_rule C:\Users\Public\xSsGKcUqL.vA_YV valak C:\Users\Public\xSsGKcUqL.vA_YV valak_js -
ServiceHost packer 4 IoCs
Detects ServiceHost packer used for .NET malware
Processes:
resource yara_rule behavioral2/memory/1192-4-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/1192-6-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/1192-7-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/1192-5-0x0000000000000000-mapping.dmp servicehost -
JavaScript code in executable 1 IoCs
Processes:
resource yara_rule C:\Users\Public\xSsGKcUqL.vA_YV js -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2456 1192 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 2456 WerFault.exe 2456 WerFault.exe 2456 WerFault.exe 2456 WerFault.exe 2456 WerFault.exe 2456 WerFault.exe 2456 WerFault.exe 2456 WerFault.exe 2456 WerFault.exe 2456 WerFault.exe 2456 WerFault.exe 2456 WerFault.exe 2456 WerFault.exe 2456 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2456 WerFault.exe Token: SeBackupPrivilege 2456 WerFault.exe Token: SeDebugPrivilege 2456 WerFault.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 428 wrote to memory of 1192 428 rundll32.exe rundll32.exe PID 428 wrote to memory of 1192 428 rundll32.exe rundll32.exe PID 428 wrote to memory of 1192 428 rundll32.exe rundll32.exe PID 1192 wrote to memory of 2320 1192 rundll32.exe wscript.exe PID 1192 wrote to memory of 2320 1192 rundll32.exe wscript.exe PID 1192 wrote to memory of 2320 1192 rundll32.exe wscript.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\lfahe1.cab.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:428 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\lfahe1.cab.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\SysWOW64\wscript.exewscript.exe //E:jscript "C:\Users\Public\xSsGKcUqL.vA_YV3⤵PID:2320
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1192 -s 6803⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2456
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:640
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
9bb0250408c43581e7f9977da9c64e36
SHA110bb73ae8b19a28b833daffd8c89041ca9c58dca
SHA256732a56132c0ec98955de6f53cd6e5ed9d15bcb3ebc42a9f43e0a8b399c496543
SHA51253829569b9737511a18e77f219b91d1681b858ccf0ed5e9bcffb6fe5caf909be7807902681dfb99825bdb7bec9cbd8b840cce945670b69795db3d851f1df442a