Analysis
-
max time kernel
4s -
max time network
11s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
13-12-2020 08:32
Static task
static1
Behavioral task
behavioral1
Sample
368b791d4fb7342d10d298e4445aa624.dll
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
368b791d4fb7342d10d298e4445aa624.dll
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
368b791d4fb7342d10d298e4445aa624.dll
-
Size
199KB
-
MD5
368b791d4fb7342d10d298e4445aa624
-
SHA1
288ea4542bb8b758c0b13d54deb36b00c287f032
-
SHA256
557772effd7149653c391055a2bd4d12eb2588255fbb0b66112958554e6579ff
-
SHA512
486368d60e0d49906d55d7b8101b2df7ea791e4644cefb1d9c2618ab78bf9db717fbc0cbcfa7d5585102b25467224ea29765c3cf002cabd72ae814370de7eac1
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1484 1904 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 1484 WerFault.exe 1484 WerFault.exe 1484 WerFault.exe 1484 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1484 WerFault.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 740 wrote to memory of 1904 740 rundll32.exe rundll32.exe PID 740 wrote to memory of 1904 740 rundll32.exe rundll32.exe PID 740 wrote to memory of 1904 740 rundll32.exe rundll32.exe PID 740 wrote to memory of 1904 740 rundll32.exe rundll32.exe PID 740 wrote to memory of 1904 740 rundll32.exe rundll32.exe PID 740 wrote to memory of 1904 740 rundll32.exe rundll32.exe PID 740 wrote to memory of 1904 740 rundll32.exe rundll32.exe PID 1904 wrote to memory of 1484 1904 rundll32.exe WerFault.exe PID 1904 wrote to memory of 1484 1904 rundll32.exe WerFault.exe PID 1904 wrote to memory of 1484 1904 rundll32.exe WerFault.exe PID 1904 wrote to memory of 1484 1904 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\368b791d4fb7342d10d298e4445aa624.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\368b791d4fb7342d10d298e4445aa624.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 2443⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1484-3-0x0000000000000000-mapping.dmp
-
memory/1484-4-0x00000000021D0000-0x00000000021E1000-memory.dmpFilesize
68KB
-
memory/1484-6-0x00000000028B0000-0x00000000028C1000-memory.dmpFilesize
68KB
-
memory/1904-2-0x0000000000000000-mapping.dmp
-
memory/1904-5-0x0000000000000000-mapping.dmp