Analysis
-
max time kernel
24s -
max time network
122s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
25-11-2020 08:32
Behavioral task
behavioral1
Sample
923753.jpg.dll
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
923753.jpg.dll
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
923753.jpg.dll
-
Size
2.9MB
-
MD5
3887099911b9df16a1eff94599b00871
-
SHA1
5e9944de761d8cc337c3783429762cdfae11f3d6
-
SHA256
ccdc26c2d4de251147a00140aba26f4cc4e9bf8420fc68994318f2038eda9edb
-
SHA512
d857da4058fe7e82f1752df49d76b863f431d1ee425a641ab3b50ec39d6db0e03470da472f8cdb5a776cd8b2d2bf1f2a52b22599da705889cae03a401ded58ee
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 212 3920 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 212 WerFault.exe 212 WerFault.exe 212 WerFault.exe 212 WerFault.exe 212 WerFault.exe 212 WerFault.exe 212 WerFault.exe 212 WerFault.exe 212 WerFault.exe 212 WerFault.exe 212 WerFault.exe 212 WerFault.exe 212 WerFault.exe 212 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 212 WerFault.exe Token: SeBackupPrivilege 212 WerFault.exe Token: SeDebugPrivilege 212 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 732 wrote to memory of 3920 732 rundll32.exe rundll32.exe PID 732 wrote to memory of 3920 732 rundll32.exe rundll32.exe PID 732 wrote to memory of 3920 732 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\923753.jpg.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\923753.jpg.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 6403⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/212-1-0x00000000046B0000-0x00000000046B1000-memory.dmpFilesize
4KB
-
memory/212-4-0x0000000004AE0000-0x0000000004AE1000-memory.dmpFilesize
4KB
-
memory/3920-0-0x0000000000000000-mapping.dmp
-
memory/3920-3-0x0000000000000000-mapping.dmp
-
memory/3920-2-0x0000000000000000-mapping.dmp