Analysis
-
max time kernel
3s -
max time network
8s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 19:43
Behavioral task
behavioral1
Sample
1.dll
Resource
win7v20201028
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
1.dll
Resource
win10v20201028
0 signatures
0 seconds
General
-
Target
1.dll
-
Size
621KB
-
MD5
7e5f2859a9e472c49c960b2dc6dc7783
-
SHA1
ad3681bed42f97ecdcc95cecd69eb1c2b78c2b4c
-
SHA256
2a0ff145da991dbd3443cc260e9e8dcb9bcd61ec6868d80b81c77145eddc44a8
-
SHA512
2b24b9c9f366a229e7f062e0b6e16609f1387bca7a4f29bbeeaccae1b5e73525cfd8e66337f15c158e8b2ad4c49aded1a2860207eee9d46524be8c221ef56f3a
Score
5/10
Malware Config
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 2036 set thread context of 1328 2036 rundll32.exe WerFault.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
rundll32.exepid process 2036 rundll32.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1808 wrote to memory of 2036 1808 rundll32.exe rundll32.exe PID 1808 wrote to memory of 2036 1808 rundll32.exe rundll32.exe PID 1808 wrote to memory of 2036 1808 rundll32.exe rundll32.exe PID 1808 wrote to memory of 2036 1808 rundll32.exe rundll32.exe PID 1808 wrote to memory of 2036 1808 rundll32.exe rundll32.exe PID 1808 wrote to memory of 2036 1808 rundll32.exe rundll32.exe PID 1808 wrote to memory of 2036 1808 rundll32.exe rundll32.exe PID 2036 wrote to memory of 1328 2036 rundll32.exe WerFault.exe PID 2036 wrote to memory of 1328 2036 rundll32.exe WerFault.exe PID 2036 wrote to memory of 1328 2036 rundll32.exe WerFault.exe PID 2036 wrote to memory of 1328 2036 rundll32.exe WerFault.exe PID 2036 wrote to memory of 1328 2036 rundll32.exe WerFault.exe PID 2036 wrote to memory of 1328 2036 rundll32.exe WerFault.exe PID 2036 wrote to memory of 1328 2036 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1328-2-0x0000000000000000-mapping.dmp
-
memory/1328-3-0x000007FFFFFD6000-mapping.dmp
-
memory/2036-0-0x0000000000000000-mapping.dmp
-
memory/2036-1-0x0000000000440000-0x00000000004B6000-memory.dmpFilesize
472KB
-
memory/2036-4-0x0000000001D20000-0x0000000001DCF000-memory.dmpFilesize
700KB