557772effd7149653c391055a2bd4d12eb2588255fbb0b66112958554e6579ff

Analysis

Target

368b791d4fb7342d10d298e4445aa624.dll
Size

199KB
MD5

368b791d4fb7342d10d298e4445aa624
SHA1

288ea4542bb8b758c0b13d54deb36b00c287f032
SHA256

557772effd7149653c391055a2bd4d12eb2588255fbb0b66112958554e6579ff
SHA512

486368d60e0d49906d55d7b8101b2df7ea791e4644cefb1d9c2618ab78bf9db717fbc0cbcfa7d5585102b25467224ea29765c3cf002cabd72ae814370de7eac1

Score

9^/10

ServiceHost packer 4 IoCs

Detects ServiceHost packer used for .NET malware

Processes:

resource	yara_rule
behavioral2/memory/2256-4-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2256-5-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2256-7-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2256-6-0x0000000000000000-mapping.dmp	servicehost

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1232 2256 WerFault.exe rundll32.exe

pid	pid_target	process	target process
1232	2256	WerFault.exe	rundll32.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 1232 WerFault.exe
Token: SeBackupPrivilege 1232 WerFault.exe
Token: SeDebugPrivilege 1232 WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 4068 wrote to memory of 2256	4068	rundll32.exe	rundll32.exe
PID 4068 wrote to memory of 2256	4068	rundll32.exe	rundll32.exe
PID 4068 wrote to memory of 2256	4068	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\368b791d4fb7342d10d298e4445aa624.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4068

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\368b791d4fb7342d10d298e4445aa624.dll,#1
2⤵
PID:2256

memory/1232-3-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

Filesize
4KB

Download
memory/1232-9-0x0000000005600000-0x0000000005601000-memory.dmp

Filesize
4KB

Download
memory/2256-2-0x0000000000000000-mapping.dmp

Download
memory/2256-4-0x0000000000000000-mapping.dmp

Download
memory/2256-5-0x0000000000000000-mapping.dmp

Download
memory/2256-7-0x0000000000000000-mapping.dmp

Download
memory/2256-6-0x0000000000000000-mapping.dmp

Download