Analysis
-
max time kernel
11s -
max time network
119s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
16-06-2021 14:43
Static task
static1
Behavioral task
behavioral1
Sample
de9aac78d73718b4cb88e046cfdd8113.dll
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
General
-
Target
de9aac78d73718b4cb88e046cfdd8113.dll
-
Size
893KB
-
MD5
de9aac78d73718b4cb88e046cfdd8113
-
SHA1
fddc61687e4a8e94a6ca9581979ece4aa7c08f08
-
SHA256
3b4d7f8036918c75267ca13980ac17419652c12d968336013808b04151b47455
-
SHA512
5abfb50760a0f5c180c50e185df70ecfafc00fb4ce300959f2e048897409a83f76a60f63f1c7250ef550a720cb9881600bec7da79e03b78c4316d10bbbfca3eb
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1400 736 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
rundll32.exeWerFault.exepid process 736 rundll32.exe 736 rundll32.exe 1400 WerFault.exe 1400 WerFault.exe 1400 WerFault.exe 1400 WerFault.exe 1400 WerFault.exe 1400 WerFault.exe 1400 WerFault.exe 1400 WerFault.exe 1400 WerFault.exe 1400 WerFault.exe 1400 WerFault.exe 1400 WerFault.exe 1400 WerFault.exe 1400 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1400 WerFault.exe Token: SeBackupPrivilege 1400 WerFault.exe Token: SeDebugPrivilege 1400 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3380 wrote to memory of 736 3380 rundll32.exe rundll32.exe PID 3380 wrote to memory of 736 3380 rundll32.exe rundll32.exe PID 3380 wrote to memory of 736 3380 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\de9aac78d73718b4cb88e046cfdd8113.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\de9aac78d73718b4cb88e046cfdd8113.dll,#12⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 7163⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken