Analysis
-
max time kernel
49s -
max time network
59s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
04-05-2021 15:38
Static task
static1
Behavioral task
behavioral1
Sample
c2b418a45a024ba768abafe9948f3b35bdd7d4d2b4b2648414e5c05cc3ac7580.dll
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
c2b418a45a024ba768abafe9948f3b35bdd7d4d2b4b2648414e5c05cc3ac7580.dll
-
Size
162KB
-
MD5
26894c7f4eac0bc7dab98c042e61cc43
-
SHA1
510b5714cb078c99491a9945e193b8b713097f62
-
SHA256
c2b418a45a024ba768abafe9948f3b35bdd7d4d2b4b2648414e5c05cc3ac7580
-
SHA512
94d5fb93b3f0be22513995729fb80887c5e0a3ddeae1a2b47825571d50d344fd41b38caa0e4354ac24d8404e1e535e3c4ad23493da0884a235c1a22b1e26c056
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2352 3720 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 2352 WerFault.exe 2352 WerFault.exe 2352 WerFault.exe 2352 WerFault.exe 2352 WerFault.exe 2352 WerFault.exe 2352 WerFault.exe 2352 WerFault.exe 2352 WerFault.exe 2352 WerFault.exe 2352 WerFault.exe 2352 WerFault.exe 2352 WerFault.exe 2352 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2352 WerFault.exe Token: SeBackupPrivilege 2352 WerFault.exe Token: SeDebugPrivilege 2352 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3920 wrote to memory of 3720 3920 rundll32.exe rundll32.exe PID 3920 wrote to memory of 3720 3920 rundll32.exe rundll32.exe PID 3920 wrote to memory of 3720 3920 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c2b418a45a024ba768abafe9948f3b35bdd7d4d2b4b2648414e5c05cc3ac7580.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c2b418a45a024ba768abafe9948f3b35bdd7d4d2b4b2648414e5c05cc3ac7580.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 6283⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3720-114-0x0000000000000000-mapping.dmp