Analysis
-
max time kernel
13s -
max time network
90s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
12-01-2021 08:33
Behavioral task
behavioral1
Sample
3db2fc3e2bdc0b93e8ca79474c5e74f6792fb3acb0df37b0fbb442dc55f30d47.dll
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
3db2fc3e2bdc0b93e8ca79474c5e74f6792fb3acb0df37b0fbb442dc55f30d47.dll
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
3db2fc3e2bdc0b93e8ca79474c5e74f6792fb3acb0df37b0fbb442dc55f30d47.dll
-
Size
2.2MB
-
MD5
10bbebdc31e0b60567bc7dc095340f47
-
SHA1
17c8bb8c76fc813f1af7b1b892fe4bdc946902c5
-
SHA256
3db2fc3e2bdc0b93e8ca79474c5e74f6792fb3acb0df37b0fbb442dc55f30d47
-
SHA512
f57c2ea08b365b655ac4b9e1a13ab39fedb85af7751a3fa05b441fd53fd5e5c67252784e985895e55a78c191d5577e6baf97a7f98fddcb342c1d54818a370c6a
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3676 1028 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3676 WerFault.exe 3676 WerFault.exe 3676 WerFault.exe 3676 WerFault.exe 3676 WerFault.exe 3676 WerFault.exe 3676 WerFault.exe 3676 WerFault.exe 3676 WerFault.exe 3676 WerFault.exe 3676 WerFault.exe 3676 WerFault.exe 3676 WerFault.exe 3676 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3676 WerFault.exe Token: SeBackupPrivilege 3676 WerFault.exe Token: SeDebugPrivilege 3676 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 508 wrote to memory of 1028 508 rundll32.exe rundll32.exe PID 508 wrote to memory of 1028 508 rundll32.exe rundll32.exe PID 508 wrote to memory of 1028 508 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3db2fc3e2bdc0b93e8ca79474c5e74f6792fb3acb0df37b0fbb442dc55f30d47.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3db2fc3e2bdc0b93e8ca79474c5e74f6792fb3acb0df37b0fbb442dc55f30d47.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 6243⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken