Analysis
-
max time kernel
30s -
max time network
80s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 19:27
Static task
static1
Behavioral task
behavioral1
Sample
file.dll
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
file.dll
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
file.dll
-
Size
164KB
-
MD5
f1d7748df9fa1f8dbe8af1551d6500b8
-
SHA1
795f3d5a7481859135323e8996fda1709b157ca8
-
SHA256
c3ed8705aecf16a07e86717d4dd6a33847cf0b87bb2d58e56a502bbf952d5f03
-
SHA512
3c1e77f113367f7ec7a492d8f8140afa124d0359ea05883adbe732527073415799990f9b4bb6492bf10eb5eb2117feeb8c799b282caf9a2c7c8f0f0907fe0a4f
Score
10/10
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 904 created 1748 904 WerFault.exe rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 904 1748 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 904 WerFault.exe 904 WerFault.exe 904 WerFault.exe 904 WerFault.exe 904 WerFault.exe 904 WerFault.exe 904 WerFault.exe 904 WerFault.exe 904 WerFault.exe 904 WerFault.exe 904 WerFault.exe 904 WerFault.exe 904 WerFault.exe 904 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 904 WerFault.exe Token: SeBackupPrivilege 904 WerFault.exe Token: SeDebugPrivilege 904 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 972 wrote to memory of 1748 972 rundll32.exe rundll32.exe PID 972 wrote to memory of 1748 972 rundll32.exe rundll32.exe PID 972 wrote to memory of 1748 972 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\file.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\file.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 7963⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/904-1-0x00000000044A0000-0x00000000044A1000-memory.dmpFilesize
4KB
-
memory/904-8-0x0000000004C10000-0x0000000004C11000-memory.dmpFilesize
4KB
-
memory/1748-0-0x0000000000000000-mapping.dmp
-
memory/1748-3-0x0000000000000000-mapping.dmp
-
memory/1748-2-0x0000000000000000-mapping.dmp
-
memory/1748-4-0x0000000000000000-mapping.dmp
-
memory/1748-5-0x0000000000000000-mapping.dmp
-
memory/1748-6-0x0000000000000000-mapping.dmp