Analysis
-
max time kernel
19s -
max time network
126s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
20-06-2021 23:02
Static task
static1
Behavioral task
behavioral1
Sample
6cc5485429c11fc78dc0cea7c7c8c70012baafa62b30284695c522270df5421c.dll
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
General
-
Target
6cc5485429c11fc78dc0cea7c7c8c70012baafa62b30284695c522270df5421c.dll
-
Size
162KB
-
MD5
117db81cc53dfb35eb967e9e7d15de5e
-
SHA1
3ec4986186dbf359831c7214e04992929a1d9baa
-
SHA256
6cc5485429c11fc78dc0cea7c7c8c70012baafa62b30284695c522270df5421c
-
SHA512
6d05f30381896223fc51c582e2aff3f7c75d410e1af57eb3d05f4fec6a429c0a8b4cc51b2590e60ecbd7620b3c0601b99efdd3777f735414ff9a57b6b5209f64
Score
10/10
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 3476 created 400 3476 WerFault.exe rundll32.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 4076 400 WerFault.exe rundll32.exe 3476 400 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
WerFault.exeWerFault.exepid process 4076 WerFault.exe 4076 WerFault.exe 4076 WerFault.exe 4076 WerFault.exe 4076 WerFault.exe 4076 WerFault.exe 4076 WerFault.exe 4076 WerFault.exe 4076 WerFault.exe 4076 WerFault.exe 4076 WerFault.exe 4076 WerFault.exe 4076 WerFault.exe 4076 WerFault.exe 3476 WerFault.exe 3476 WerFault.exe 3476 WerFault.exe 3476 WerFault.exe 3476 WerFault.exe 3476 WerFault.exe 3476 WerFault.exe 3476 WerFault.exe 3476 WerFault.exe 3476 WerFault.exe 3476 WerFault.exe 3476 WerFault.exe 3476 WerFault.exe 3476 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
WerFault.exeWerFault.exedescription pid process Token: SeRestorePrivilege 4076 WerFault.exe Token: SeBackupPrivilege 4076 WerFault.exe Token: SeDebugPrivilege 4076 WerFault.exe Token: SeDebugPrivilege 3476 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3944 wrote to memory of 400 3944 rundll32.exe rundll32.exe PID 3944 wrote to memory of 400 3944 rundll32.exe rundll32.exe PID 3944 wrote to memory of 400 3944 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6cc5485429c11fc78dc0cea7c7c8c70012baafa62b30284695c522270df5421c.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6cc5485429c11fc78dc0cea7c7c8c70012baafa62b30284695c522270df5421c.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 6203⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 5883⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/400-114-0x0000000000000000-mapping.dmp