Analysis
-
max time kernel
96s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
12-04-2021 13:34
Static task
static1
Behavioral task
behavioral1
Sample
output.dll
Resource
win7v20210410
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
output.dll
Resource
win10v20210408
0 signatures
0 seconds
General
-
Target
output.dll
-
Size
1.4MB
-
MD5
2688406bd73347d21e7ede2a7bbfaeab
-
SHA1
0df05dc29da8c921ed2db6e0ac725108ce9978e6
-
SHA256
57c99a4a83e155dd9503fc578670e9dc67aa25811988648c7790f1157c9a5271
-
SHA512
03fa90508f796a9cad3a6485c54bb98655469ec48f1062977d3e351147295fe79d27a2397ed50ef013d3d98b2014263bcdbd4abe3de8c04d055058f5688c9740
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2220 1196 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
rundll32.exeWerFault.exepid process 1196 rundll32.exe 1196 rundll32.exe 2220 WerFault.exe 2220 WerFault.exe 2220 WerFault.exe 2220 WerFault.exe 2220 WerFault.exe 2220 WerFault.exe 2220 WerFault.exe 2220 WerFault.exe 2220 WerFault.exe 2220 WerFault.exe 2220 WerFault.exe 2220 WerFault.exe 2220 WerFault.exe 2220 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2220 WerFault.exe Token: SeBackupPrivilege 2220 WerFault.exe Token: SeDebugPrivilege 2220 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 904 wrote to memory of 1196 904 rundll32.exe rundll32.exe PID 904 wrote to memory of 1196 904 rundll32.exe rundll32.exe PID 904 wrote to memory of 1196 904 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\output.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\output.dll,#12⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 8043⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1196-114-0x0000000000000000-mapping.dmp
-
memory/1196-115-0x0000000000AE0000-0x0000000000C4C000-memory.dmpFilesize
1.4MB
-
memory/1196-116-0x00000000004C0000-0x00000000004C1000-memory.dmpFilesize
4KB
-
memory/1196-117-0x00000000004E0000-0x000000000062A000-memory.dmpFilesize
1.3MB
-
memory/1196-118-0x0000000000C50000-0x0000000000C69000-memory.dmpFilesize
100KB