Analysis
-
max time kernel
18s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
20-06-2021 22:02
Static task
static1
Behavioral task
behavioral1
Sample
f088bd9d0f62a5063fc8ac48da70d4255651f67d4eb026952e665820fd10fc02.dll
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
General
-
Target
f088bd9d0f62a5063fc8ac48da70d4255651f67d4eb026952e665820fd10fc02.dll
-
Size
162KB
-
MD5
53d7825bfc59b2876ff730be923b0f22
-
SHA1
b17f53f1fc3d0b79452ef381351555436ae3c107
-
SHA256
f088bd9d0f62a5063fc8ac48da70d4255651f67d4eb026952e665820fd10fc02
-
SHA512
c63ce781ce37491608ce3e8075fabc9f6067182b03217f1fa7ec982293d8fdca2e670e3d8aacbf5d8dede800b407fb04aace418dd4aa79194cca91d0a83c8aca
Score
10/10
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 2592 created 3192 2592 WerFault.exe rundll32.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3376 3192 WerFault.exe rundll32.exe 2592 3192 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
WerFault.exeWerFault.exepid process 3376 WerFault.exe 3376 WerFault.exe 3376 WerFault.exe 3376 WerFault.exe 3376 WerFault.exe 3376 WerFault.exe 3376 WerFault.exe 3376 WerFault.exe 3376 WerFault.exe 3376 WerFault.exe 3376 WerFault.exe 3376 WerFault.exe 3376 WerFault.exe 3376 WerFault.exe 2592 WerFault.exe 2592 WerFault.exe 2592 WerFault.exe 2592 WerFault.exe 2592 WerFault.exe 2592 WerFault.exe 2592 WerFault.exe 2592 WerFault.exe 2592 WerFault.exe 2592 WerFault.exe 2592 WerFault.exe 2592 WerFault.exe 2592 WerFault.exe 2592 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
WerFault.exeWerFault.exedescription pid process Token: SeRestorePrivilege 3376 WerFault.exe Token: SeBackupPrivilege 3376 WerFault.exe Token: SeDebugPrivilege 3376 WerFault.exe Token: SeDebugPrivilege 2592 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 2576 wrote to memory of 3192 2576 rundll32.exe rundll32.exe PID 2576 wrote to memory of 3192 2576 rundll32.exe rundll32.exe PID 2576 wrote to memory of 3192 2576 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f088bd9d0f62a5063fc8ac48da70d4255651f67d4eb026952e665820fd10fc02.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f088bd9d0f62a5063fc8ac48da70d4255651f67d4eb026952e665820fd10fc02.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 6163⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 6203⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3192-114-0x0000000000000000-mapping.dmp