Analysis
-
max time kernel
113s -
max time network
116s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 19:27
Static task
static1
Behavioral task
behavioral1
Sample
file.dll
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
file.dll
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
file.dll
-
Size
166KB
-
MD5
df386a0d76f841b8a41aaf63e2ee22fe
-
SHA1
c340d786e1e2e75703e3152f72fdaade3566ca9c
-
SHA256
5f74523c92b0fde9a89cd5121fe4829a7499a7074a4e0c55adcae5ba2f374a20
-
SHA512
b2b9d85af5892662d46cb30b5e1bf6507fb5d7b8dcf78329c6ab214bd8c4c5069066419de4dba590bb0a6775125da42c117f61454c49bec21e8777e8ecc243c7
Score
10/10
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 2860 created 1712 2860 WerFault.exe rundll32.exe -
ServiceHost packer 6 IoCs
Detects ServiceHost packer used for .NET malware
Processes:
resource yara_rule behavioral2/memory/1712-2-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/1712-3-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/1712-4-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/1712-5-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/1712-6-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/1712-7-0x0000000000000000-mapping.dmp servicehost -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2860 1712 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 2860 WerFault.exe 2860 WerFault.exe 2860 WerFault.exe 2860 WerFault.exe 2860 WerFault.exe 2860 WerFault.exe 2860 WerFault.exe 2860 WerFault.exe 2860 WerFault.exe 2860 WerFault.exe 2860 WerFault.exe 2860 WerFault.exe 2860 WerFault.exe 2860 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2860 WerFault.exe Token: SeBackupPrivilege 2860 WerFault.exe Token: SeDebugPrivilege 2860 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1304 wrote to memory of 1712 1304 rundll32.exe rundll32.exe PID 1304 wrote to memory of 1712 1304 rundll32.exe rundll32.exe PID 1304 wrote to memory of 1712 1304 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\file.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\file.dll,#12⤵PID:1712
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 8883⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2860
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1712-0-0x0000000000000000-mapping.dmp
-
memory/1712-2-0x0000000000000000-mapping.dmp
-
memory/1712-3-0x0000000000000000-mapping.dmp
-
memory/1712-4-0x0000000000000000-mapping.dmp
-
memory/1712-5-0x0000000000000000-mapping.dmp
-
memory/1712-6-0x0000000000000000-mapping.dmp
-
memory/1712-7-0x0000000000000000-mapping.dmp
-
memory/2860-1-0x0000000004D20000-0x0000000004D21000-memory.dmpFilesize
4KB
-
memory/2860-8-0x0000000005820000-0x0000000005821000-memory.dmpFilesize
4KB