Analysis
-
max time kernel
18s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
03-03-2021 13:07
Static task
static1
Behavioral task
behavioral1
Sample
c678c05b05790006e56a25659eaa97520f426c6b2bbd7ccfb3ea30cc46d672f9.dll
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
c678c05b05790006e56a25659eaa97520f426c6b2bbd7ccfb3ea30cc46d672f9.dll
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
c678c05b05790006e56a25659eaa97520f426c6b2bbd7ccfb3ea30cc46d672f9.dll
-
Size
164KB
-
MD5
6a85fe97ccaa29d09e5df824d4eaad59
-
SHA1
1a21c93de1af252f9c293e4a39e63bc2775d2b02
-
SHA256
c678c05b05790006e56a25659eaa97520f426c6b2bbd7ccfb3ea30cc46d672f9
-
SHA512
a0c2749249ecdd4dd42389df8c89110ad1d0473a2b69f8aaf142a9b9faf5f6797231c49a060f534834fa69fe66a7aef85c7c02e5c4c121fbe118d0a93d8b9fff
Score
10/10
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 616 created 1344 616 WerFault.exe rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 616 1344 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 616 WerFault.exe 616 WerFault.exe 616 WerFault.exe 616 WerFault.exe 616 WerFault.exe 616 WerFault.exe 616 WerFault.exe 616 WerFault.exe 616 WerFault.exe 616 WerFault.exe 616 WerFault.exe 616 WerFault.exe 616 WerFault.exe 616 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 616 WerFault.exe Token: SeBackupPrivilege 616 WerFault.exe Token: SeDebugPrivilege 616 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1052 wrote to memory of 1344 1052 rundll32.exe rundll32.exe PID 1052 wrote to memory of 1344 1052 rundll32.exe rundll32.exe PID 1052 wrote to memory of 1344 1052 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c678c05b05790006e56a25659eaa97520f426c6b2bbd7ccfb3ea30cc46d672f9.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c678c05b05790006e56a25659eaa97520f426c6b2bbd7ccfb3ea30cc46d672f9.dll,#12⤵PID:1344
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 8083⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:616
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/616-3-0x0000000004FB0000-0x0000000004FB1000-memory.dmpFilesize
4KB
-
memory/1344-2-0x0000000000000000-mapping.dmp
-
memory/1344-4-0x0000000000510000-0x000000000051A000-memory.dmpFilesize
40KB
-
memory/1344-6-0x0000000000800000-0x0000000000801000-memory.dmpFilesize
4KB
-
memory/1344-5-0x0000000000520000-0x0000000000521000-memory.dmpFilesize
4KB
-
memory/1344-7-0x0000000000F40000-0x0000000000F41000-memory.dmpFilesize
4KB
-
memory/1344-8-0x0000000000F50000-0x0000000000F56000-memory.dmpFilesize
24KB