Overview

overview

10

Static

static

10

Dumped_Bea...86.dll

windows7_x64

1

Dumped_Bea...86.dll

windows10_x64

10

Analysis

  • max time kernel
    34s
  • max time network
    68s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    12-11-2020 00:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Dumped_Beacon_DLL_powershell_ise_exe_PIDd7c_hiddenmodule_4480000_x86.dll

  • Size

    248KB

  • MD5

    7d55a3f0151b59a1a28a8bb0519176be

  • SHA1

    4dc08fc88a7c8af4557df0a0b28df5b67751c1e3

  • SHA256

    0d0c1dc04c2a607e0042f4611a1b975cae82b3bb7e5e5ff912f23924ee1b88c5

  • SHA512

    440fec1b76830ff35146b7ad2cc082e64e5ac39cde120849442cdf2ea265e0e5a5d107ae204cdfe367deca7d478bb46061d06530bf7983ddbde61918aecb1d0d

Score
10/10

Malware Config

Signatures

  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • ServiceHost packer 6 IoCs

    Detects ServiceHost packer used for .NET malware

  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dumped_Beacon_DLL_powershell_ise_exe_PIDd7c_hiddenmodule_4480000_x86.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1344
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dumped_Beacon_DLL_powershell_ise_exe_PIDd7c_hiddenmodule_4480000_x86.dll,#1
      2⤵
        PID:1908
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1908 -s 604
          3⤵
          • Program crash
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1084
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1908 -s 772
          3⤵
          • Suspicious use of NtCreateProcessExOtherParentProcess
          • Program crash
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2112

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1084-1-0x00000000042D0000-0x00000000042D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1084-5-0x0000000004CD0000-0x0000000004CD1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1908-0-0x0000000000000000-mapping.dmp
      Download
    • memory/1908-3-0x0000000000000000-mapping.dmp
      Download
    • memory/1908-2-0x0000000000000000-mapping.dmp
      Download
    • memory/1908-4-0x0000000000000000-mapping.dmp
      Download
    • memory/1908-6-0x0000000000000000-mapping.dmp
      Download
    • memory/1908-7-0x0000000000000000-mapping.dmp
      Download
    • memory/1908-9-0x0000000000000000-mapping.dmp
      Download
    • memory/2112-8-0x0000000004BD0000-0x0000000004BD1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2112-10-0x0000000005200000-0x0000000005201000-memory.dmp
      Filesize

      4KB

      Download