Analysis
-
max time kernel
3s -
max time network
11s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
15-11-2020 22:46
Static task
static1
Behavioral task
behavioral1
Sample
1fdcf7204710c6f9e870914d6e692b2b748310a5c5ef1795ef0b3bfa003d44a2.dll
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
1fdcf7204710c6f9e870914d6e692b2b748310a5c5ef1795ef0b3bfa003d44a2.dll
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
1fdcf7204710c6f9e870914d6e692b2b748310a5c5ef1795ef0b3bfa003d44a2.dll
-
Size
202KB
-
MD5
4365a73b7ddbdff6e25bfcbb3778918b
-
SHA1
5bb622f8e35dcad4bf939884b5e62a76f4cebfc1
-
SHA256
1fdcf7204710c6f9e870914d6e692b2b748310a5c5ef1795ef0b3bfa003d44a2
-
SHA512
0bac9b01bd02336b0d9e72dc75a2ec374cd41a4e40f3566a35002ab968cbc230afaeac8a32a43768288a8698ba3769bb3e457e22271bb0f86bdfc5fa2b8007d8
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2040 1860 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 2040 WerFault.exe 2040 WerFault.exe 2040 WerFault.exe 2040 WerFault.exe 2040 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 2040 WerFault.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1756 wrote to memory of 1860 1756 rundll32.exe rundll32.exe PID 1756 wrote to memory of 1860 1756 rundll32.exe rundll32.exe PID 1756 wrote to memory of 1860 1756 rundll32.exe rundll32.exe PID 1756 wrote to memory of 1860 1756 rundll32.exe rundll32.exe PID 1756 wrote to memory of 1860 1756 rundll32.exe rundll32.exe PID 1756 wrote to memory of 1860 1756 rundll32.exe rundll32.exe PID 1756 wrote to memory of 1860 1756 rundll32.exe rundll32.exe PID 1860 wrote to memory of 2040 1860 rundll32.exe WerFault.exe PID 1860 wrote to memory of 2040 1860 rundll32.exe WerFault.exe PID 1860 wrote to memory of 2040 1860 rundll32.exe WerFault.exe PID 1860 wrote to memory of 2040 1860 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1fdcf7204710c6f9e870914d6e692b2b748310a5c5ef1795ef0b3bfa003d44a2.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1fdcf7204710c6f9e870914d6e692b2b748310a5c5ef1795ef0b3bfa003d44a2.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 2443⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2040
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1860-0-0x0000000000000000-mapping.dmp
-
memory/1860-3-0x0000000000000000-mapping.dmp
-
memory/2040-1-0x0000000000000000-mapping.dmp
-
memory/2040-2-0x0000000000870000-0x0000000000881000-memory.dmpFilesize
68KB
-
memory/2040-4-0x0000000002750000-0x0000000002761000-memory.dmpFilesize
68KB