Analysis
-
max time kernel
66s -
max time network
68s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
12-07-2020 07:45
Static task
static1
Behavioral task
behavioral1
Sample
hex.bin.dll
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
hex.bin.dll
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
hex.bin.dll
-
Size
20KB
-
MD5
9c44ec556d53301d86c13a884128b8de
-
SHA1
7c683d3c3590cbc61b5077bc035f4a36cae097d4
-
SHA256
7d85ebd460df8710d0f60278014654009be39945a820755e1fbd59030c14f4c7
-
SHA512
79c4386484943c79b62366cb6cb842ef39bcc9541e34c02276a7cc7a3eeac1c7360288b7b786bd21c0fe1f73e25f16231e893c392f194f7f417447c13e9317f7
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 900 512 WerFault.exe rundll32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 900 WerFault.exe Token: SeBackupPrivilege 900 WerFault.exe Token: SeDebugPrivilege 900 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
WerFault.exepid process 900 WerFault.exe 900 WerFault.exe 900 WerFault.exe 900 WerFault.exe 900 WerFault.exe 900 WerFault.exe 900 WerFault.exe 900 WerFault.exe 900 WerFault.exe 900 WerFault.exe 900 WerFault.exe 900 WerFault.exe 900 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 2916 wrote to memory of 512 2916 rundll32.exe rundll32.exe PID 2916 wrote to memory of 512 2916 rundll32.exe rundll32.exe PID 2916 wrote to memory of 512 2916 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\hex.bin.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\hex.bin.dll,#12⤵PID:512
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 512 -s 6163⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:900