Analysis
-
max time kernel
12s -
max time network
115s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
29-06-2021 02:20
Static task
static1
Behavioral task
behavioral1
Sample
winSelBefore.jpg.dll
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
winSelBefore.jpg.dll
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
General
-
Target
winSelBefore.jpg.dll
-
Size
3.0MB
-
MD5
3338255935766fef84a53e2aaaac6d34
-
SHA1
625bfb066ef13e19a59f6559cb3a1f42aba58d2b
-
SHA256
0bb797aef9711d46a54f363b0d28211337605db7d84b079e91cae672f7a981d4
-
SHA512
0c7b274ecea5a394721a689de68e0560afece27703b76db5839dcf830fd0e3ff2a1e730edd59d8121b02671283b4fd06ad345b781e854a0c3a63b84b7f064f40
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 204 900 WerFault.exe regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 204 WerFault.exe 204 WerFault.exe 204 WerFault.exe 204 WerFault.exe 204 WerFault.exe 204 WerFault.exe 204 WerFault.exe 204 WerFault.exe 204 WerFault.exe 204 WerFault.exe 204 WerFault.exe 204 WerFault.exe 204 WerFault.exe 204 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 204 WerFault.exe Token: SeBackupPrivilege 204 WerFault.exe Token: SeDebugPrivilege 204 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
regsvr32.exedescription pid process target process PID 3944 wrote to memory of 900 3944 regsvr32.exe regsvr32.exe PID 3944 wrote to memory of 900 3944 regsvr32.exe regsvr32.exe PID 3944 wrote to memory of 900 3944 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\winSelBefore.jpg.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\winSelBefore.jpg.dll2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 6283⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken