Analysis
-
max time kernel
98s -
max time network
99s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 20:42
Static task
static1
Behavioral task
behavioral1
Sample
48589dc79002ceb8d1a96a6dbc442c86aeb1ad19f4cea3182290e013f8380d08.dll
Resource
win7v20201028
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
48589dc79002ceb8d1a96a6dbc442c86aeb1ad19f4cea3182290e013f8380d08.dll
Resource
win10v20201028
0 signatures
0 seconds
General
-
Target
48589dc79002ceb8d1a96a6dbc442c86aeb1ad19f4cea3182290e013f8380d08.dll
-
Size
1.4MB
-
MD5
8825398172a44fe22696b5a17974f59b
-
SHA1
dba1337a0a8293b721642b8b45a86352bcdfd04f
-
SHA256
48589dc79002ceb8d1a96a6dbc442c86aeb1ad19f4cea3182290e013f8380d08
-
SHA512
a478fbcb46f798d952bccc8cfc6e5186056f09a47d23d3dda96c9ebc73bc35865ed71358bc63d30a7e7c41eb11f98753d0f38921388805de67849db8c5b9a795
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1172 1316 WerFault.exe regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 1172 WerFault.exe 1172 WerFault.exe 1172 WerFault.exe 1172 WerFault.exe 1172 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1172 WerFault.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
regsvr32.exeregsvr32.exedescription pid process target process PID 1904 wrote to memory of 1316 1904 regsvr32.exe regsvr32.exe PID 1904 wrote to memory of 1316 1904 regsvr32.exe regsvr32.exe PID 1904 wrote to memory of 1316 1904 regsvr32.exe regsvr32.exe PID 1904 wrote to memory of 1316 1904 regsvr32.exe regsvr32.exe PID 1904 wrote to memory of 1316 1904 regsvr32.exe regsvr32.exe PID 1904 wrote to memory of 1316 1904 regsvr32.exe regsvr32.exe PID 1904 wrote to memory of 1316 1904 regsvr32.exe regsvr32.exe PID 1316 wrote to memory of 1172 1316 regsvr32.exe WerFault.exe PID 1316 wrote to memory of 1172 1316 regsvr32.exe WerFault.exe PID 1316 wrote to memory of 1172 1316 regsvr32.exe WerFault.exe PID 1316 wrote to memory of 1172 1316 regsvr32.exe WerFault.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\48589dc79002ceb8d1a96a6dbc442c86aeb1ad19f4cea3182290e013f8380d08.dll1⤵
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\48589dc79002ceb8d1a96a6dbc442c86aeb1ad19f4cea3182290e013f8380d08.dll2⤵
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 2963⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1172