Analysis
-
max time kernel
23s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
17-12-2020 14:50
Behavioral task
behavioral1
Sample
5555555555.dll
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
5555555555.dll
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
5555555555.dll
-
Size
2.2MB
-
MD5
d93e664851c7d28b2aa4e024ce820a83
-
SHA1
0ade1f8c1072e9828eba8a1c99a25a748086795e
-
SHA256
c503aa1dbf3c19582320dd843867711ac3565adb1ef0a3b0d73cfc90a4a3cd21
-
SHA512
0d0f7cea9e8455020dcdb0da012f3820e4ba4c3f0fefa11b1884b2908cfc5ebb101391dbadddbe014bdbe11e40b27a8b1d35931ce04bb9ce96848be8565d6d55
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 744 1244 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 744 WerFault.exe 744 WerFault.exe 744 WerFault.exe 744 WerFault.exe 744 WerFault.exe 744 WerFault.exe 744 WerFault.exe 744 WerFault.exe 744 WerFault.exe 744 WerFault.exe 744 WerFault.exe 744 WerFault.exe 744 WerFault.exe 744 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 744 WerFault.exe Token: SeBackupPrivilege 744 WerFault.exe Token: SeDebugPrivilege 744 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 576 wrote to memory of 1244 576 rundll32.exe rundll32.exe PID 576 wrote to memory of 1244 576 rundll32.exe rundll32.exe PID 576 wrote to memory of 1244 576 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5555555555.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5555555555.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 6203⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/744-6-0x0000000004360000-0x0000000004361000-memory.dmpFilesize
4KB
-
memory/744-10-0x0000000004D50000-0x0000000004D51000-memory.dmpFilesize
4KB
-
memory/1244-2-0x0000000000000000-mapping.dmp
-
memory/1244-8-0x0000000000000000-mapping.dmp
-
memory/1244-9-0x0000000000000000-mapping.dmp
-
memory/1244-7-0x0000000000000000-mapping.dmp
-
memory/1244-11-0x0000000000000000-mapping.dmp
-
memory/1244-12-0x0000000000000000-mapping.dmp
-
memory/1244-13-0x00000000007C0000-0x00000000007C1000-memory.dmpFilesize
4KB