Analysis
-
max time kernel
10s -
max time network
116s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
29-06-2021 02:19
Static task
static1
Behavioral task
behavioral1
Sample
nameTpl.jpg.dll
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
nameTpl.jpg.dll
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
General
-
Target
nameTpl.jpg.dll
-
Size
3.0MB
-
MD5
c5d74107de9630e130f8cfcf53658ea6
-
SHA1
c3b7ff6ab811df23c6f116d4566c819665685393
-
SHA256
9822e135cafc24d7d610a2831cd97e13c0f2b3ce1935aadde0bbbcf140395bba
-
SHA512
9c25d9fb78b7dd441d19f31d6e47788359bc7cf7e8934e9762be81f2747c1264a1ed6ef2f277bc97ce0679fe5f34abe392b14faedc3d587124a26b909edf5db1
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2684 724 WerFault.exe regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 2684 WerFault.exe 2684 WerFault.exe 2684 WerFault.exe 2684 WerFault.exe 2684 WerFault.exe 2684 WerFault.exe 2684 WerFault.exe 2684 WerFault.exe 2684 WerFault.exe 2684 WerFault.exe 2684 WerFault.exe 2684 WerFault.exe 2684 WerFault.exe 2684 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2684 WerFault.exe Token: SeBackupPrivilege 2684 WerFault.exe Token: SeDebugPrivilege 2684 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
regsvr32.exedescription pid process target process PID 3736 wrote to memory of 724 3736 regsvr32.exe regsvr32.exe PID 3736 wrote to memory of 724 3736 regsvr32.exe regsvr32.exe PID 3736 wrote to memory of 724 3736 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\nameTpl.jpg.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\nameTpl.jpg.dll2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 724 -s 6283⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken