Analysis
-
max time kernel
34s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
07-05-2021 10:08
Static task
static1
Behavioral task
behavioral1
Sample
cf6fea34af1f1e02cfc44a685bc90c9c8c04e18a722ccf61ec73d952df774f80.dll
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
General
-
Target
cf6fea34af1f1e02cfc44a685bc90c9c8c04e18a722ccf61ec73d952df774f80.dll
-
Size
909KB
-
MD5
ee0a11ed10588b6c7c35b6a36f0998da
-
SHA1
21e0eb33704b6dcf2e1899d90d6600a5db60e864
-
SHA256
cf6fea34af1f1e02cfc44a685bc90c9c8c04e18a722ccf61ec73d952df774f80
-
SHA512
e5319309a939ab8be761b94247e8f196a315f0e8bf66d1e31a94bde2f853dbc5143a2a2906ba0c0f2ef6f652e761de8befb78f545e6ea59aae9222e87fb4ec20
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 940 3196 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 940 WerFault.exe 940 WerFault.exe 940 WerFault.exe 940 WerFault.exe 940 WerFault.exe 940 WerFault.exe 940 WerFault.exe 940 WerFault.exe 940 WerFault.exe 940 WerFault.exe 940 WerFault.exe 940 WerFault.exe 940 WerFault.exe 940 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 940 WerFault.exe Token: SeBackupPrivilege 940 WerFault.exe Token: SeDebugPrivilege 940 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3724 wrote to memory of 3196 3724 rundll32.exe rundll32.exe PID 3724 wrote to memory of 3196 3724 rundll32.exe rundll32.exe PID 3724 wrote to memory of 3196 3724 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cf6fea34af1f1e02cfc44a685bc90c9c8c04e18a722ccf61ec73d952df774f80.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cf6fea34af1f1e02cfc44a685bc90c9c8c04e18a722ccf61ec73d952df774f80.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 7683⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3196-114-0x0000000000000000-mapping.dmp
-
memory/3196-115-0x0000000003240000-0x00000000032A7000-memory.dmpFilesize
412KB
-
memory/3196-116-0x00000000032C0000-0x00000000032F4000-memory.dmpFilesize
208KB
-
memory/3196-117-0x0000000003320000-0x000000000346A000-memory.dmpFilesize
1.3MB