Analysis
-
max time kernel
13s -
max time network
114s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
10-07-2021 10:37
Behavioral task
behavioral1
Sample
e446b4ca910c3ff3b3add0fb35b3120385d880f7cf02ca21ba872e1d57eb39dd.bin.sample.dll
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
e446b4ca910c3ff3b3add0fb35b3120385d880f7cf02ca21ba872e1d57eb39dd.bin.sample.dll
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
General
-
Target
e446b4ca910c3ff3b3add0fb35b3120385d880f7cf02ca21ba872e1d57eb39dd.bin.sample.dll
-
Size
8.3MB
-
MD5
cf903aa75574ea4b1be9c96a027203d3
-
SHA1
b9c5441919d9a247aa7449b354bb8c100665d23e
-
SHA256
e446b4ca910c3ff3b3add0fb35b3120385d880f7cf02ca21ba872e1d57eb39dd
-
SHA512
152dbd473d2277a95ec79a3d57f047ec8026617efc0117ad82d20102ca6a45c8ebb1a237fb0b0c0a40d5dee10c5f240cf946de73cdd11a523138270bad891b1f
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1860 3212 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 1860 WerFault.exe 1860 WerFault.exe 1860 WerFault.exe 1860 WerFault.exe 1860 WerFault.exe 1860 WerFault.exe 1860 WerFault.exe 1860 WerFault.exe 1860 WerFault.exe 1860 WerFault.exe 1860 WerFault.exe 1860 WerFault.exe 1860 WerFault.exe 1860 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1860 WerFault.exe Token: SeBackupPrivilege 1860 WerFault.exe Token: SeDebugPrivilege 1860 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1852 wrote to memory of 3212 1852 rundll32.exe rundll32.exe PID 1852 wrote to memory of 3212 1852 rundll32.exe rundll32.exe PID 1852 wrote to memory of 3212 1852 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e446b4ca910c3ff3b3add0fb35b3120385d880f7cf02ca21ba872e1d57eb39dd.bin.sample.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e446b4ca910c3ff3b3add0fb35b3120385d880f7cf02ca21ba872e1d57eb39dd.bin.sample.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 5963⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3212-114-0x0000000000000000-mapping.dmp