Analysis
-
max time kernel
61s -
max time network
124s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
13-12-2020 08:32
Static task
static1
Behavioral task
behavioral1
Sample
368b791d4fb7342d10d298e4445aa624.dll
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
368b791d4fb7342d10d298e4445aa624.dll
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
368b791d4fb7342d10d298e4445aa624.dll
-
Size
199KB
-
MD5
368b791d4fb7342d10d298e4445aa624
-
SHA1
288ea4542bb8b758c0b13d54deb36b00c287f032
-
SHA256
557772effd7149653c391055a2bd4d12eb2588255fbb0b66112958554e6579ff
-
SHA512
486368d60e0d49906d55d7b8101b2df7ea791e4644cefb1d9c2618ab78bf9db717fbc0cbcfa7d5585102b25467224ea29765c3cf002cabd72ae814370de7eac1
Score
9/10
Malware Config
Signatures
-
ServiceHost packer 4 IoCs
Detects ServiceHost packer used for .NET malware
Processes:
resource yara_rule behavioral2/memory/2256-4-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/2256-5-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/2256-7-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/2256-6-0x0000000000000000-mapping.dmp servicehost -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1232 2256 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 1232 WerFault.exe 1232 WerFault.exe 1232 WerFault.exe 1232 WerFault.exe 1232 WerFault.exe 1232 WerFault.exe 1232 WerFault.exe 1232 WerFault.exe 1232 WerFault.exe 1232 WerFault.exe 1232 WerFault.exe 1232 WerFault.exe 1232 WerFault.exe 1232 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1232 WerFault.exe Token: SeBackupPrivilege 1232 WerFault.exe Token: SeDebugPrivilege 1232 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4068 wrote to memory of 2256 4068 rundll32.exe rundll32.exe PID 4068 wrote to memory of 2256 4068 rundll32.exe rundll32.exe PID 4068 wrote to memory of 2256 4068 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\368b791d4fb7342d10d298e4445aa624.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\368b791d4fb7342d10d298e4445aa624.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 6603⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1232-3-0x0000000004CE0000-0x0000000004CE1000-memory.dmpFilesize
4KB
-
memory/1232-9-0x0000000005600000-0x0000000005601000-memory.dmpFilesize
4KB
-
memory/2256-2-0x0000000000000000-mapping.dmp
-
memory/2256-4-0x0000000000000000-mapping.dmp
-
memory/2256-5-0x0000000000000000-mapping.dmp
-
memory/2256-7-0x0000000000000000-mapping.dmp
-
memory/2256-6-0x0000000000000000-mapping.dmp