Analysis
-
max time kernel
40s -
max time network
49s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
18-05-2021 19:25
Static task
static1
Behavioral task
behavioral1
Sample
4802545.xs2.dll
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
General
-
Target
4802545.xs2.dll
-
Size
110KB
-
MD5
cfb94c893280fd1edd40a4c74031727a
-
SHA1
9bf1f365e14842621854282f976b890478816a77
-
SHA256
3205ebcea1f138f0171ff3815d594883805b4af48a24bc0d6228d0b0ee12ddb4
-
SHA512
31b573054e5963c939cab24b48a8610f757ea94eba21c5101f2df3ffd8fc3120327795692feda7d448091a93b4befb389eed48e17662d7f2e3b19cc441a56988
Malware Config
Signatures
-
Nloader Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1300-115-0x0000000001040000-0x0000000001045000-memory.dmp nloader -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3132 1300 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3132 WerFault.exe 3132 WerFault.exe 3132 WerFault.exe 3132 WerFault.exe 3132 WerFault.exe 3132 WerFault.exe 3132 WerFault.exe 3132 WerFault.exe 3132 WerFault.exe 3132 WerFault.exe 3132 WerFault.exe 3132 WerFault.exe 3132 WerFault.exe 3132 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3132 WerFault.exe Token: SeBackupPrivilege 3132 WerFault.exe Token: SeDebugPrivilege 3132 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 852 wrote to memory of 1300 852 rundll32.exe rundll32.exe PID 852 wrote to memory of 1300 852 rundll32.exe rundll32.exe PID 852 wrote to memory of 1300 852 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4802545.xs2.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4802545.xs2.dll,#12⤵PID:1300
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1300 -s 8203⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3132