3d24275f33cfb0d01a1541f3aed83ed6ec22e90acc6df0deca325d658c1f1e58 | Triage

Analysis

max time kernel
13s
max time network
110s
platform
windows10_x64
resource
win10v20201028
submitted
09-11-2020 03:38

Sharing

Report Analysis Logs

General

Target

mc&0.NET.dll
Size

503KB
MD5

e598fdc5eac35445a2b2e09dd8fc63ad
SHA1

5b9ff066600c4488fb2b451c2dcf0e7c2e0e9159
SHA256

2ffd5f63216bc158679a94db12a927f051c92e9900cad7614d84b6e71fb9e947
SHA512

9565fee5adb5df5786026e08f2d3c29921e25d08e70436b69868a69544fd6b6b8290c494a532f254373061e622ae793ad63bc907f0b5e399cc74db35d6463969

Score

8^/10

Malware Config

Signatures

Blacklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

8 1000 rundll32.exe
13 1000 rundll32.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

1000 rundll32.exe
1000 rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 508 wrote to memory of 1000	508	rundll32.exe	rundll32.exe
PID 508 wrote to memory of 1000	508	rundll32.exe	rundll32.exe
PID 508 wrote to memory of 1000	508	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\mc&0.NET.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:508

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\mc&0.NET.dll,#1
2⤵
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:1000

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1000-0-0x0000000000000000-mapping.dmp

Download