Analysis
-
max time kernel
16s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
16-06-2021 14:49
Static task
static1
Behavioral task
behavioral1
Sample
f1fb3abb2393f77b6192945aa277151d.dll
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
General
-
Target
f1fb3abb2393f77b6192945aa277151d.dll
-
Size
893KB
-
MD5
f1fb3abb2393f77b6192945aa277151d
-
SHA1
f62a31eb33e26cabdbd3ef843bd19c95df47dcdb
-
SHA256
75bd9e581d48f304bec7cf8f07fc56937501e67a578d33252915b455fc2506f1
-
SHA512
2037d379bf63b064ae1ed350dded6ebf73dd23002933d64de7d379995f21c21959369934e903f8ab94099db9c40b2f609e873245d1c6b7f57680d3796031f3d0
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3524 1220 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
rundll32.exeWerFault.exepid process 1220 rundll32.exe 1220 rundll32.exe 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3524 WerFault.exe Token: SeBackupPrivilege 3524 WerFault.exe Token: SeDebugPrivilege 3524 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 656 wrote to memory of 1220 656 rundll32.exe rundll32.exe PID 656 wrote to memory of 1220 656 rundll32.exe rundll32.exe PID 656 wrote to memory of 1220 656 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f1fb3abb2393f77b6192945aa277151d.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f1fb3abb2393f77b6192945aa277151d.dll,#12⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1220 -s 7203⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken