6b1e27915fa85d6bde40c512865e57c555e7bb02f1dc192a9b827c74c8984780

Analysis

Target

https___purefile24.top_4352wedfoifom.php.dll
Size

545KB
MD5

e221c9a4b1ac13310d037cbc764b86d9
SHA1

a7dbb7283b3b164993c1c122189e42509fe5573d
SHA256

6b1e27915fa85d6bde40c512865e57c555e7bb02f1dc192a9b827c74c8984780
SHA512

56c649d6a79f68924fe55973836f51cb10bbf1ed82366ea3be9be4f8dbf8e56aa4a2aedd933fa977d2109fd9abd7ea947d77e40659f00c80f645a18580cbf12c

Score

9^/10

ServiceHost packer 5 IoCs

Detects ServiceHost packer used for .NET malware

resource	yara_rule
behavioral2/memory/1480-3-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/1480-2-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/1480-4-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/1480-6-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/1480-5-0x0000000000000000-mapping.dmp	servicehost

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2956	1480	WerFault.exe	71

Suspicious behavior: EnumeratesProcesses 14 IoCs

Suspicious use of AdjustPrivilegeToken 3 IoCs

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 828 wrote to memory of 1480	828	rundll32.exe	71
PID 828 wrote to memory of 1480	828	rundll32.exe	71
PID 828 wrote to memory of 1480	828	rundll32.exe	71

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\https___purefile24.top_4352wedfoifom.php.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:828
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\https___purefile24.top_4352wedfoifom.php.dll,#1
  2⤵
  PID:1480
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 644
    3⤵
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2956

memory/2956-1-0x0000000004EF0000-0x0000000004EF1000-memory.dmp

Filesize
4KB

Download
memory/2956-7-0x0000000005860000-0x0000000005861000-memory.dmp

Filesize
4KB

Download