Analysis
-
max time kernel
678s -
max time network
681s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
18-05-2021 21:02
Static task
static1
General
-
Target
4802545.xs2.dll
-
Size
110KB
-
MD5
cfb94c893280fd1edd40a4c74031727a
-
SHA1
9bf1f365e14842621854282f976b890478816a77
-
SHA256
3205ebcea1f138f0171ff3815d594883805b4af48a24bc0d6228d0b0ee12ddb4
-
SHA512
31b573054e5963c939cab24b48a8610f757ea94eba21c5101f2df3ffd8fc3120327795692feda7d448091a93b4befb389eed48e17662d7f2e3b19cc441a56988
Malware Config
Signatures
-
Nloader Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1968-62-0x00000000001F0000-0x00000000001F5000-memory.dmp nloader -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1668 1968 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 1668 WerFault.exe 1668 WerFault.exe 1668 WerFault.exe 1668 WerFault.exe 1668 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1668 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1668 WerFault.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1988 wrote to memory of 1968 1988 rundll32.exe rundll32.exe PID 1988 wrote to memory of 1968 1988 rundll32.exe rundll32.exe PID 1988 wrote to memory of 1968 1988 rundll32.exe rundll32.exe PID 1988 wrote to memory of 1968 1988 rundll32.exe rundll32.exe PID 1988 wrote to memory of 1968 1988 rundll32.exe rundll32.exe PID 1988 wrote to memory of 1968 1988 rundll32.exe rundll32.exe PID 1988 wrote to memory of 1968 1988 rundll32.exe rundll32.exe PID 1968 wrote to memory of 1668 1968 rundll32.exe WerFault.exe PID 1968 wrote to memory of 1668 1968 rundll32.exe WerFault.exe PID 1968 wrote to memory of 1668 1968 rundll32.exe WerFault.exe PID 1968 wrote to memory of 1668 1968 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4802545.xs2.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4802545.xs2.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 4363⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1668