Analysis
-
max time kernel
299s -
max time network
247s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
01-07-2021 13:54
Static task
static1
Behavioral task
behavioral1
Sample
zos6.dll
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
zos6.dll
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
zos6.dll
-
Size
403KB
-
MD5
91861834710517931916b180bdbf2b4b
-
SHA1
b1291233ea3dea5159e261b1ab3fd7310a64ac42
-
SHA256
59fa95def88159bd57001640175e65dad7e4d76279ff15faadb6ef75f8e880f2
-
SHA512
523a7296a8a8cba86a40253b9af6a02d77ab86756885dfa0938fb2ac9bdbe70823469bbf14247aca0af50d7fb8f4ed384e400a0beaf7183bf4d1b49938165bf4
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1016 2460 WerFault.exe regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 1016 WerFault.exe 1016 WerFault.exe 1016 WerFault.exe 1016 WerFault.exe 1016 WerFault.exe 1016 WerFault.exe 1016 WerFault.exe 1016 WerFault.exe 1016 WerFault.exe 1016 WerFault.exe 1016 WerFault.exe 1016 WerFault.exe 1016 WerFault.exe 1016 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1016 WerFault.exe Token: SeBackupPrivilege 1016 WerFault.exe Token: SeDebugPrivilege 1016 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
regsvr32.exedescription pid process target process PID 900 wrote to memory of 2460 900 regsvr32.exe regsvr32.exe PID 900 wrote to memory of 2460 900 regsvr32.exe regsvr32.exe PID 900 wrote to memory of 2460 900 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\zos6.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\zos6.dll2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 6283⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken