Analysis
-
max time kernel
13s -
max time network
114s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
02-07-2021 12:07
Static task
static1
Behavioral task
behavioral1
Sample
triage_dropped_file.dll
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
triage_dropped_file.dll
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
General
-
Target
triage_dropped_file.dll
-
Size
403KB
-
MD5
73dea2992305472953f55173a8df4e97
-
SHA1
c793820db2776f423bca9a7bf517a38a735f3bee
-
SHA256
30b4227e51c4964d07a5246cdab168f465790dd8846dac5e8376c2afed5a1485
-
SHA512
fdfba7054410e5a743fad104dc9aaac234897ed598c0cc7b5c87150f288b1eec186890873e03a0ad75a8fc2a72a562d5ea0053bc90d25476f37b843dd71cffd8
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3172 2408 WerFault.exe regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
WerFault.exepid process 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3172 WerFault.exe Token: SeBackupPrivilege 3172 WerFault.exe Token: SeDebugPrivilege 3172 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
regsvr32.exedescription pid process target process PID 3152 wrote to memory of 2408 3152 regsvr32.exe regsvr32.exe PID 3152 wrote to memory of 2408 3152 regsvr32.exe regsvr32.exe PID 3152 wrote to memory of 2408 3152 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\triage_dropped_file.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\triage_dropped_file.dll2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 6243⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken