Analysis
-
max time kernel
13s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
26-07-2021 12:40
Static task
static1
Behavioral task
behavioral1
Sample
4db103f3bef49c43c766bc563068be45d617e7dd47d338fe592810c2bf04bc2f.sample.dll
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
4db103f3bef49c43c766bc563068be45d617e7dd47d338fe592810c2bf04bc2f.sample.dll
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
General
-
Target
4db103f3bef49c43c766bc563068be45d617e7dd47d338fe592810c2bf04bc2f.sample.dll
-
Size
80KB
-
MD5
340d2d405126ba3e5edc8337a6ddb5b5
-
SHA1
c83f4535ce3c47fa2edf3d94e2e5b153f757b8f4
-
SHA256
4db103f3bef49c43c766bc563068be45d617e7dd47d338fe592810c2bf04bc2f
-
SHA512
180aa77d588bca616ac3a2db235e692006b93b7390948ee18c0aa59a6b1cea9f41f641a84a55df77a5da5788b6df7e9752fb17a242169b0961f8a9799c0f60f6
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2064 592 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 2064 WerFault.exe 2064 WerFault.exe 2064 WerFault.exe 2064 WerFault.exe 2064 WerFault.exe 2064 WerFault.exe 2064 WerFault.exe 2064 WerFault.exe 2064 WerFault.exe 2064 WerFault.exe 2064 WerFault.exe 2064 WerFault.exe 2064 WerFault.exe 2064 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2064 WerFault.exe Token: SeBackupPrivilege 2064 WerFault.exe Token: SeDebugPrivilege 2064 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3408 wrote to memory of 592 3408 rundll32.exe rundll32.exe PID 3408 wrote to memory of 592 3408 rundll32.exe rundll32.exe PID 3408 wrote to memory of 592 3408 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4db103f3bef49c43c766bc563068be45d617e7dd47d338fe592810c2bf04bc2f.sample.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4db103f3bef49c43c766bc563068be45d617e7dd47d338fe592810c2bf04bc2f.sample.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 592 -s 6323⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/592-114-0x0000000000000000-mapping.dmp