Analysis
-
max time kernel
14s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
29-06-2021 02:19
Static task
static1
Behavioral task
behavioral1
Sample
dCurTable.jpg.dll
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
dCurTable.jpg.dll
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
dCurTable.jpg.dll
-
Size
3.0MB
-
MD5
6daccc54cd517e02c320ff14461ae729
-
SHA1
d6997e1f95b31701a75a2082528f23ec34b47003
-
SHA256
8368a955dd5d9850ed8ced6144a202368c52e065abafdb71a7960d3a90647e85
-
SHA512
f6940556982687110d64ecc6acfa20e89d929a896d4b7e2b974011db02b9a3aa18f6145425cace9690d7d859ee4f2b7f808ea8518a84d76a2050c7218ea28594
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3024 3164 WerFault.exe regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3024 WerFault.exe 3024 WerFault.exe 3024 WerFault.exe 3024 WerFault.exe 3024 WerFault.exe 3024 WerFault.exe 3024 WerFault.exe 3024 WerFault.exe 3024 WerFault.exe 3024 WerFault.exe 3024 WerFault.exe 3024 WerFault.exe 3024 WerFault.exe 3024 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3024 WerFault.exe Token: SeBackupPrivilege 3024 WerFault.exe Token: SeDebugPrivilege 3024 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
regsvr32.exedescription pid process target process PID 804 wrote to memory of 3164 804 regsvr32.exe regsvr32.exe PID 804 wrote to memory of 3164 804 regsvr32.exe regsvr32.exe PID 804 wrote to memory of 3164 804 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\dCurTable.jpg.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\dCurTable.jpg.dll2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 6283⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken