Analysis
-
max time kernel
10s -
max time network
15s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
15-11-2020 22:37
Static task
static1
Behavioral task
behavioral1
Sample
bd0ef776f8a1ff7b774b2f003d9cac80de436bcfb878b8e6c105f171f3a5e84b.dll
Resource
win7v20201028
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
bd0ef776f8a1ff7b774b2f003d9cac80de436bcfb878b8e6c105f171f3a5e84b.dll
Resource
win10v20201028
0 signatures
0 seconds
General
-
Target
bd0ef776f8a1ff7b774b2f003d9cac80de436bcfb878b8e6c105f171f3a5e84b.dll
-
Size
244KB
-
MD5
4a6ac9379a35b32c84605043a56e62c3
-
SHA1
a0a2639be7f2e36b7e3ce7f426c9789041321d86
-
SHA256
bd0ef776f8a1ff7b774b2f003d9cac80de436bcfb878b8e6c105f171f3a5e84b
-
SHA512
ca9d9efb779878c64299c63f9a68899c035d18e5a45273d7971a664eac95ce7034a9b1d654e4cb804cbb3da77ee140cb31d421841310d47f30a382a61244cfcb
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1808 1844 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 1808 WerFault.exe 1808 WerFault.exe 1808 WerFault.exe 1808 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1808 WerFault.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1004 wrote to memory of 1844 1004 rundll32.exe rundll32.exe PID 1004 wrote to memory of 1844 1004 rundll32.exe rundll32.exe PID 1004 wrote to memory of 1844 1004 rundll32.exe rundll32.exe PID 1004 wrote to memory of 1844 1004 rundll32.exe rundll32.exe PID 1004 wrote to memory of 1844 1004 rundll32.exe rundll32.exe PID 1004 wrote to memory of 1844 1004 rundll32.exe rundll32.exe PID 1004 wrote to memory of 1844 1004 rundll32.exe rundll32.exe PID 1844 wrote to memory of 1808 1844 rundll32.exe WerFault.exe PID 1844 wrote to memory of 1808 1844 rundll32.exe WerFault.exe PID 1844 wrote to memory of 1808 1844 rundll32.exe WerFault.exe PID 1844 wrote to memory of 1808 1844 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bd0ef776f8a1ff7b774b2f003d9cac80de436bcfb878b8e6c105f171f3a5e84b.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bd0ef776f8a1ff7b774b2f003d9cac80de436bcfb878b8e6c105f171f3a5e84b.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 1963⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1808-1-0x0000000000000000-mapping.dmp
-
memory/1808-2-0x0000000001F00000-0x0000000001F11000-memory.dmpFilesize
68KB
-
memory/1808-4-0x00000000024F0000-0x0000000002501000-memory.dmpFilesize
68KB
-
memory/1844-0-0x0000000000000000-mapping.dmp
-
memory/1844-3-0x0000000000000000-mapping.dmp