Analysis
-
max time kernel
12s -
max time network
101s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
17-11-2020 11:43
Static task
static1
Behavioral task
behavioral1
Sample
23a6aca8cb2a8ae13495433beef8b972.dll
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
23a6aca8cb2a8ae13495433beef8b972.dll
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
23a6aca8cb2a8ae13495433beef8b972.dll
-
Size
208KB
-
MD5
421c812b233bba6d2079680c4d42088a
-
SHA1
2f66e92d1f7010d4eb3ecd1cc2ba34720bdd5a76
-
SHA256
a9fdabda845e7ade437168e0aab5673c5020c7021a595ca8929a94421c1d93b5
-
SHA512
f7c8848e3e14931d32fca11a26c25b1363ecd6fe3029967bbe2d13425553ddbe4784a86e4a5d239cb2c3182f8b676ef3b1ef77d94088ac651993eb08f1324795
Score
9/10
Malware Config
Signatures
-
ServiceHost packer 3 IoCs
Detects ServiceHost packer used for .NET malware
Processes:
resource yara_rule behavioral2/memory/1392-2-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/1392-4-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/1392-3-0x0000000000000000-mapping.dmp servicehost -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3008 1392 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3008 WerFault.exe 3008 WerFault.exe 3008 WerFault.exe 3008 WerFault.exe 3008 WerFault.exe 3008 WerFault.exe 3008 WerFault.exe 3008 WerFault.exe 3008 WerFault.exe 3008 WerFault.exe 3008 WerFault.exe 3008 WerFault.exe 3008 WerFault.exe 3008 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3008 WerFault.exe Token: SeBackupPrivilege 3008 WerFault.exe Token: SeDebugPrivilege 3008 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1180 wrote to memory of 1392 1180 rundll32.exe rundll32.exe PID 1180 wrote to memory of 1392 1180 rundll32.exe rundll32.exe PID 1180 wrote to memory of 1392 1180 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\23a6aca8cb2a8ae13495433beef8b972.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\23a6aca8cb2a8ae13495433beef8b972.dll,#12⤵PID:1392
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 6603⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3008
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1392-0-0x0000000000000000-mapping.dmp
-
memory/1392-2-0x0000000000000000-mapping.dmp
-
memory/1392-4-0x0000000000000000-mapping.dmp
-
memory/1392-3-0x0000000000000000-mapping.dmp
-
memory/3008-1-0x0000000004720000-0x0000000004721000-memory.dmpFilesize
4KB
-
memory/3008-5-0x0000000004AD0000-0x0000000004AD1000-memory.dmpFilesize
4KB