Analysis
-
max time kernel
11s -
max time network
115s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
26-07-2021 12:40
Static task
static1
Behavioral task
behavioral1
Sample
189080f597580fb7d4672022a3307a689318142cf133cc5552082509484c25ca.sample.dll
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
189080f597580fb7d4672022a3307a689318142cf133cc5552082509484c25ca.sample.dll
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
General
-
Target
189080f597580fb7d4672022a3307a689318142cf133cc5552082509484c25ca.sample.dll
-
Size
76KB
-
MD5
481bb895c8b953b598719262328ccd12
-
SHA1
99d3504e713f3ae31eee340fca81a250f4f805dd
-
SHA256
189080f597580fb7d4672022a3307a689318142cf133cc5552082509484c25ca
-
SHA512
3bdf91baae548cddfae44cf4b80573c68a4ba5e7b0d216294ae90b19e400a0486bb75066a3a3e7aa3bf0b595474949f3ac784c319e995075def6eb30c84b4f23
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4020 808 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 4020 WerFault.exe 4020 WerFault.exe 4020 WerFault.exe 4020 WerFault.exe 4020 WerFault.exe 4020 WerFault.exe 4020 WerFault.exe 4020 WerFault.exe 4020 WerFault.exe 4020 WerFault.exe 4020 WerFault.exe 4020 WerFault.exe 4020 WerFault.exe 4020 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 4020 WerFault.exe Token: SeBackupPrivilege 4020 WerFault.exe Token: SeDebugPrivilege 4020 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1852 wrote to memory of 808 1852 rundll32.exe rundll32.exe PID 1852 wrote to memory of 808 1852 rundll32.exe rundll32.exe PID 1852 wrote to memory of 808 1852 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\189080f597580fb7d4672022a3307a689318142cf133cc5552082509484c25ca.sample.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\189080f597580fb7d4672022a3307a689318142cf133cc5552082509484c25ca.sample.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 808 -s 6363⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/808-114-0x0000000000000000-mapping.dmp