Analysis
-
max time kernel
4s -
max time network
13s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
17-11-2020 12:16
Static task
static1
Behavioral task
behavioral1
Sample
7c5a448ef79801222dceb3a09298423a.dll
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
7c5a448ef79801222dceb3a09298423a.dll
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
7c5a448ef79801222dceb3a09298423a.dll
-
Size
208KB
-
MD5
4bda250be73136628f57a0ed1d8969a1
-
SHA1
d4c896cab15fde45c962353937b7f35f235a0576
-
SHA256
f2728813e7147c34eeb0c734753e0360731b9995de11f8921bed0febfda4de29
-
SHA512
49894fd6ddd49d1ea0ba3f377abf2e5537c0c543b16c45788d18c8c7bd907e7e5c8e7703e6e77ee200f7e5c44b1f1286cc523b72b386d5ca018cbb6b55e6cec8
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1972 1648 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 1972 WerFault.exe 1972 WerFault.exe 1972 WerFault.exe 1972 WerFault.exe 1972 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1972 WerFault.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 292 wrote to memory of 1648 292 rundll32.exe rundll32.exe PID 292 wrote to memory of 1648 292 rundll32.exe rundll32.exe PID 292 wrote to memory of 1648 292 rundll32.exe rundll32.exe PID 292 wrote to memory of 1648 292 rundll32.exe rundll32.exe PID 292 wrote to memory of 1648 292 rundll32.exe rundll32.exe PID 292 wrote to memory of 1648 292 rundll32.exe rundll32.exe PID 292 wrote to memory of 1648 292 rundll32.exe rundll32.exe PID 1648 wrote to memory of 1972 1648 rundll32.exe WerFault.exe PID 1648 wrote to memory of 1972 1648 rundll32.exe WerFault.exe PID 1648 wrote to memory of 1972 1648 rundll32.exe WerFault.exe PID 1648 wrote to memory of 1972 1648 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7c5a448ef79801222dceb3a09298423a.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:292 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7c5a448ef79801222dceb3a09298423a.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 2443⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1972
-
-