Analysis
-
max time kernel
40s -
max time network
134s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
01-05-2021 14:53
Static task
static1
Behavioral task
behavioral1
Sample
8e4c0c3730667bf8dfb8c0ee23fbe8bb.dll
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
General
-
Target
8e4c0c3730667bf8dfb8c0ee23fbe8bb.dll
-
Size
632KB
-
MD5
8e4c0c3730667bf8dfb8c0ee23fbe8bb
-
SHA1
da344c94f80cfa5448782b1d5f52cd91bb59c49f
-
SHA256
48a79cc89ec1002be655b5727c420d7a00fcdd044e0dea12e371af8804d1233f
-
SHA512
a61d3e57b9805d4b4926de80c07442be494417bc1d444290654fa9d0bca551c00dde3f09dc1700ac124b604cb39192c307423eb81ddec75b17ba5b7cefbc7897
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3264 4768 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
rundll32.exeWerFault.exepid process 4768 rundll32.exe 4768 rundll32.exe 3264 WerFault.exe 3264 WerFault.exe 3264 WerFault.exe 3264 WerFault.exe 3264 WerFault.exe 3264 WerFault.exe 3264 WerFault.exe 3264 WerFault.exe 3264 WerFault.exe 3264 WerFault.exe 3264 WerFault.exe 3264 WerFault.exe 3264 WerFault.exe 3264 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3264 WerFault.exe Token: SeBackupPrivilege 3264 WerFault.exe Token: SeDebugPrivilege 3264 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4656 wrote to memory of 4768 4656 rundll32.exe rundll32.exe PID 4656 wrote to memory of 4768 4656 rundll32.exe rundll32.exe PID 4656 wrote to memory of 4768 4656 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8e4c0c3730667bf8dfb8c0ee23fbe8bb.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8e4c0c3730667bf8dfb8c0ee23fbe8bb.dll,#12⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 7043⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken