Analysis
-
max time kernel
18s -
max time network
115s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
11-06-2021 03:03
Static task
static1
Behavioral task
behavioral1
Sample
e492f30eb8a94e28e6658442388ab68bb002090a2cc040b32991d030f7934db4.dll
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
General
-
Target
e492f30eb8a94e28e6658442388ab68bb002090a2cc040b32991d030f7934db4.dll
-
Size
162KB
-
MD5
984659f72b2471de93d4f933a838a3d1
-
SHA1
85d0017e3f6e527c1cfffdc6a4effbddb928c9b8
-
SHA256
e492f30eb8a94e28e6658442388ab68bb002090a2cc040b32991d030f7934db4
-
SHA512
3d08d792ccd85e702a2e001f9b42e54a4e76a4a42faa4236cd42b6c47be9f08f816fcb2f72db21b1d000549a326d864e2e6be2a3bb2d3c62aaef5d7816fad8ae
Score
10/10
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 2120 created 3156 2120 WerFault.exe rundll32.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3176 3156 WerFault.exe rundll32.exe 2120 3156 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
WerFault.exeWerFault.exepid process 3176 WerFault.exe 3176 WerFault.exe 3176 WerFault.exe 3176 WerFault.exe 3176 WerFault.exe 3176 WerFault.exe 3176 WerFault.exe 3176 WerFault.exe 3176 WerFault.exe 3176 WerFault.exe 3176 WerFault.exe 3176 WerFault.exe 3176 WerFault.exe 3176 WerFault.exe 2120 WerFault.exe 2120 WerFault.exe 2120 WerFault.exe 2120 WerFault.exe 2120 WerFault.exe 2120 WerFault.exe 2120 WerFault.exe 2120 WerFault.exe 2120 WerFault.exe 2120 WerFault.exe 2120 WerFault.exe 2120 WerFault.exe 2120 WerFault.exe 2120 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
WerFault.exeWerFault.exedescription pid process Token: SeRestorePrivilege 3176 WerFault.exe Token: SeBackupPrivilege 3176 WerFault.exe Token: SeDebugPrivilege 3176 WerFault.exe Token: SeDebugPrivilege 2120 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 2680 wrote to memory of 3156 2680 rundll32.exe rundll32.exe PID 2680 wrote to memory of 3156 2680 rundll32.exe rundll32.exe PID 2680 wrote to memory of 3156 2680 rundll32.exe rundll32.exe
Processes
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e492f30eb8a94e28e6658442388ab68bb002090a2cc040b32991d030f7934db4.dll,#11⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 6162⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 6322⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e492f30eb8a94e28e6658442388ab68bb002090a2cc040b32991d030f7934db4.dll,#11⤵
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3156-114-0x0000000000000000-mapping.dmp