a9fdabda845e7ade437168e0aab5673c5020c7021a595ca8929a94421c1d93b5 | Triage

Analysis

max time kernel
12s
max time network
101s
platform
windows10_x64
resource
win10v20201028
submitted
17-11-2020 11:43

Sharing

Report Analysis Logs

General

Target

23a6aca8cb2a8ae13495433beef8b972.dll
Size

208KB
MD5

421c812b233bba6d2079680c4d42088a
SHA1

2f66e92d1f7010d4eb3ecd1cc2ba34720bdd5a76
SHA256

a9fdabda845e7ade437168e0aab5673c5020c7021a595ca8929a94421c1d93b5
SHA512

f7c8848e3e14931d32fca11a26c25b1363ecd6fe3029967bbe2d13425553ddbe4784a86e4a5d239cb2c3182f8b676ef3b1ef77d94088ac651993eb08f1324795

Score

9^/10

Malware Config

Signatures

ServiceHost packer 3 IoCs

Detects ServiceHost packer used for .NET malware

Processes:

resource	yara_rule
behavioral2/memory/1392-2-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/1392-4-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/1392-3-0x0000000000000000-mapping.dmp	servicehost

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3008 1392 WerFault.exe rundll32.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
3008	WerFault.exe
3008	WerFault.exe
3008	WerFault.exe
3008	WerFault.exe
3008	WerFault.exe
3008	WerFault.exe
3008	WerFault.exe
3008	WerFault.exe
3008	WerFault.exe
3008	WerFault.exe
3008	WerFault.exe
3008	WerFault.exe
3008	WerFault.exe
3008	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3008 WerFault.exe
Token: SeBackupPrivilege 3008 WerFault.exe
Token: SeDebugPrivilege 3008 WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1180 wrote to memory of 1392	1180	rundll32.exe	rundll32.exe
PID 1180 wrote to memory of 1392	1180	rundll32.exe	rundll32.exe
PID 1180 wrote to memory of 1392	1180	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\23a6aca8cb2a8ae13495433beef8b972.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1180

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\23a6aca8cb2a8ae13495433beef8b972.dll,#1
2⤵
PID:1392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 660
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3008

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1392-0-0x0000000000000000-mapping.dmp

Download
memory/1392-2-0x0000000000000000-mapping.dmp

Download
memory/1392-4-0x0000000000000000-mapping.dmp

Download
memory/1392-3-0x0000000000000000-mapping.dmp

Download
memory/3008-1-0x0000000004720000-0x0000000004721000-memory.dmp

Filesize
4KB

Download
memory/3008-5-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

Filesize
4KB

Download