Analysis
-
max time kernel
142s -
max time network
142s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 20:42
Static task
static1
Behavioral task
behavioral1
Sample
48589dc79002ceb8d1a96a6dbc442c86aeb1ad19f4cea3182290e013f8380d08.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
48589dc79002ceb8d1a96a6dbc442c86aeb1ad19f4cea3182290e013f8380d08.dll
Resource
win10v20201028
General
-
Target
48589dc79002ceb8d1a96a6dbc442c86aeb1ad19f4cea3182290e013f8380d08.dll
-
Size
1.4MB
-
MD5
8825398172a44fe22696b5a17974f59b
-
SHA1
dba1337a0a8293b721642b8b45a86352bcdfd04f
-
SHA256
48589dc79002ceb8d1a96a6dbc442c86aeb1ad19f4cea3182290e013f8380d08
-
SHA512
a478fbcb46f798d952bccc8cfc6e5186056f09a47d23d3dda96c9ebc73bc35865ed71358bc63d30a7e7c41eb11f98753d0f38921388805de67849db8c5b9a795
Malware Config
Signatures
-
ServiceHost packer 1 IoCs
Detects ServiceHost packer used for .NET malware
Processes:
resource yara_rule behavioral2/memory/2592-2-0x0000000000000000-mapping.dmp servicehost -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3060 2592 WerFault.exe regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3060 WerFault.exe 3060 WerFault.exe 3060 WerFault.exe 3060 WerFault.exe 3060 WerFault.exe 3060 WerFault.exe 3060 WerFault.exe 3060 WerFault.exe 3060 WerFault.exe 3060 WerFault.exe 3060 WerFault.exe 3060 WerFault.exe 3060 WerFault.exe 3060 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3060 WerFault.exe Token: SeBackupPrivilege 3060 WerFault.exe Token: SeDebugPrivilege 3060 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
regsvr32.exedescription pid process target process PID 412 wrote to memory of 2592 412 regsvr32.exe regsvr32.exe PID 412 wrote to memory of 2592 412 regsvr32.exe regsvr32.exe PID 412 wrote to memory of 2592 412 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\48589dc79002ceb8d1a96a6dbc442c86aeb1ad19f4cea3182290e013f8380d08.dll1⤵
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\48589dc79002ceb8d1a96a6dbc442c86aeb1ad19f4cea3182290e013f8380d08.dll2⤵PID:2592
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 6163⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3060