Analysis
-
max time kernel
113s -
max time network
116s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 19:27
General
-
Target
file.dll
-
Size
166KB
-
MD5
df386a0d76f841b8a41aaf63e2ee22fe
-
SHA1
c340d786e1e2e75703e3152f72fdaade3566ca9c
-
SHA256
5f74523c92b0fde9a89cd5121fe4829a7499a7074a4e0c55adcae5ba2f374a20
-
SHA512
b2b9d85af5892662d46cb30b5e1bf6507fb5d7b8dcf78329c6ab214bd8c4c5069066419de4dba590bb0a6775125da42c117f61454c49bec21e8777e8ecc243c7
Score
10/10
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
-
ServiceHost packer 6 IoCs
Detects ServiceHost packer used for .NET malware
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\file.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\file.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 8883⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1712-0-0x0000000000000000-mapping.dmp
-
memory/1712-2-0x0000000000000000-mapping.dmp
-
memory/1712-3-0x0000000000000000-mapping.dmp
-
memory/1712-4-0x0000000000000000-mapping.dmp
-
memory/1712-5-0x0000000000000000-mapping.dmp
-
memory/1712-6-0x0000000000000000-mapping.dmp
-
memory/1712-7-0x0000000000000000-mapping.dmp
-
memory/2860-1-0x0000000004D20000-0x0000000004D21000-memory.dmpFilesize
4KB
-
memory/2860-8-0x0000000005820000-0x0000000005821000-memory.dmpFilesize
4KB