Analysis
-
max time kernel
26s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
21-06-2021 01:02
Static task
static1
Behavioral task
behavioral1
Sample
831de5418e6c3169039e605216198023ba6d461f376309d1299840926ac57ff6.dll
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
831de5418e6c3169039e605216198023ba6d461f376309d1299840926ac57ff6.dll
-
Size
162KB
-
MD5
a4f3a6f39c608def79563d186c17c97e
-
SHA1
71e11ce28337a3027d0ea9cb6e40527e6fce1f5a
-
SHA256
831de5418e6c3169039e605216198023ba6d461f376309d1299840926ac57ff6
-
SHA512
739ff3dcafd7303d9c8d32f5beb55ef1bda0d918478681f06a68934cf796d348243ed0fce11d56552f3376b2dbdaf6403ca20232bc0dd4065906792e492a5dfd
Score
10/10
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 1996 created 784 1996 WerFault.exe rundll32.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 4032 784 WerFault.exe rundll32.exe 1996 784 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
WerFault.exeWerFault.exepid process 4032 WerFault.exe 4032 WerFault.exe 4032 WerFault.exe 4032 WerFault.exe 4032 WerFault.exe 4032 WerFault.exe 4032 WerFault.exe 4032 WerFault.exe 4032 WerFault.exe 4032 WerFault.exe 4032 WerFault.exe 4032 WerFault.exe 4032 WerFault.exe 4032 WerFault.exe 1996 WerFault.exe 1996 WerFault.exe 1996 WerFault.exe 1996 WerFault.exe 1996 WerFault.exe 1996 WerFault.exe 1996 WerFault.exe 1996 WerFault.exe 1996 WerFault.exe 1996 WerFault.exe 1996 WerFault.exe 1996 WerFault.exe 1996 WerFault.exe 1996 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
WerFault.exeWerFault.exedescription pid process Token: SeRestorePrivilege 4032 WerFault.exe Token: SeBackupPrivilege 4032 WerFault.exe Token: SeDebugPrivilege 4032 WerFault.exe Token: SeDebugPrivilege 1996 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3716 wrote to memory of 784 3716 rundll32.exe rundll32.exe PID 3716 wrote to memory of 784 3716 rundll32.exe rundll32.exe PID 3716 wrote to memory of 784 3716 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\831de5418e6c3169039e605216198023ba6d461f376309d1299840926ac57ff6.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\831de5418e6c3169039e605216198023ba6d461f376309d1299840926ac57ff6.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 6203⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 6363⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/784-114-0x0000000000000000-mapping.dmp