Analysis
-
max time kernel
26s -
max time network
117s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
11-06-2021 00:46
Static task
static1
Behavioral task
behavioral1
Sample
9ec7c3dd7e1c934b7dac687b7ff8b080ed594a9ba41ab83c63d7c2c83577dd1f.dll
Resource
win10v20210408
0 signatures
0 seconds
General
-
Target
9ec7c3dd7e1c934b7dac687b7ff8b080ed594a9ba41ab83c63d7c2c83577dd1f.dll
-
Size
162KB
-
MD5
ad92991f47fea1353f57c380cca46683
-
SHA1
f128f6787bbe1e5bb80d4a14846ccbf2b3be65ee
-
SHA256
9ec7c3dd7e1c934b7dac687b7ff8b080ed594a9ba41ab83c63d7c2c83577dd1f
-
SHA512
bc35b5215615d9de33df63ad7ecb00cbb4617981adebcaf8a48bfc66cc2537c0a57ca80a6f66790febe359c0370134bdecac5fae58bd607278e069479d0ab6cb
Score
10/10
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 1332 created 1232 1332 WerFault.exe rundll32.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2020 1232 WerFault.exe rundll32.exe 1332 1232 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
WerFault.exeWerFault.exepid process 2020 WerFault.exe 2020 WerFault.exe 2020 WerFault.exe 2020 WerFault.exe 2020 WerFault.exe 2020 WerFault.exe 2020 WerFault.exe 2020 WerFault.exe 2020 WerFault.exe 2020 WerFault.exe 2020 WerFault.exe 2020 WerFault.exe 2020 WerFault.exe 2020 WerFault.exe 1332 WerFault.exe 1332 WerFault.exe 1332 WerFault.exe 1332 WerFault.exe 1332 WerFault.exe 1332 WerFault.exe 1332 WerFault.exe 1332 WerFault.exe 1332 WerFault.exe 1332 WerFault.exe 1332 WerFault.exe 1332 WerFault.exe 1332 WerFault.exe 1332 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
WerFault.exeWerFault.exedescription pid process Token: SeRestorePrivilege 2020 WerFault.exe Token: SeBackupPrivilege 2020 WerFault.exe Token: SeDebugPrivilege 2020 WerFault.exe Token: SeDebugPrivilege 1332 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 64 wrote to memory of 1232 64 rundll32.exe rundll32.exe PID 64 wrote to memory of 1232 64 rundll32.exe rundll32.exe PID 64 wrote to memory of 1232 64 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9ec7c3dd7e1c934b7dac687b7ff8b080ed594a9ba41ab83c63d7c2c83577dd1f.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9ec7c3dd7e1c934b7dac687b7ff8b080ed594a9ba41ab83c63d7c2c83577dd1f.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 6163⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 6323⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1232-114-0x0000000000000000-mapping.dmp