Analysis
-
max time kernel
18s -
max time network
124s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
21-06-2021 00:02
Static task
static1
Behavioral task
behavioral1
Sample
e3b348c2a389456f0eba6218875e8827f57cb762b1efd6fbd8158974bd792480.dll
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
General
-
Target
e3b348c2a389456f0eba6218875e8827f57cb762b1efd6fbd8158974bd792480.dll
-
Size
162KB
-
MD5
ddbd753ef4e84e284f6417c2b3aa825e
-
SHA1
814719b470431afb3d73e33ed0d5f37be9b9bbfd
-
SHA256
e3b348c2a389456f0eba6218875e8827f57cb762b1efd6fbd8158974bd792480
-
SHA512
2e8ca67d8dbc619505985076372d3fa10718316a5ccb54846b892f3c85d30123a0c7055005feef1ad0733d6b953d4ae1a3b86692181474c6cd1f63b0f3b561e2
Score
10/10
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 1420 created 3876 1420 WerFault.exe rundll32.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2304 3876 WerFault.exe rundll32.exe 1420 3876 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
WerFault.exeWerFault.exepid process 2304 WerFault.exe 2304 WerFault.exe 2304 WerFault.exe 2304 WerFault.exe 2304 WerFault.exe 2304 WerFault.exe 2304 WerFault.exe 2304 WerFault.exe 2304 WerFault.exe 2304 WerFault.exe 2304 WerFault.exe 2304 WerFault.exe 2304 WerFault.exe 2304 WerFault.exe 1420 WerFault.exe 1420 WerFault.exe 1420 WerFault.exe 1420 WerFault.exe 1420 WerFault.exe 1420 WerFault.exe 1420 WerFault.exe 1420 WerFault.exe 1420 WerFault.exe 1420 WerFault.exe 1420 WerFault.exe 1420 WerFault.exe 1420 WerFault.exe 1420 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
WerFault.exeWerFault.exedescription pid process Token: SeRestorePrivilege 2304 WerFault.exe Token: SeBackupPrivilege 2304 WerFault.exe Token: SeDebugPrivilege 2304 WerFault.exe Token: SeDebugPrivilege 1420 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3916 wrote to memory of 3876 3916 rundll32.exe rundll32.exe PID 3916 wrote to memory of 3876 3916 rundll32.exe rundll32.exe PID 3916 wrote to memory of 3876 3916 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e3b348c2a389456f0eba6218875e8827f57cb762b1efd6fbd8158974bd792480.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e3b348c2a389456f0eba6218875e8827f57cb762b1efd6fbd8158974bd792480.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 6163⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 6363⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3876-114-0x0000000000000000-mapping.dmp