Resubmissions
17-11-2023 10:10
231117-l7lv5ahg41 312-10-2021 17:50
211012-weydkachb3 1004-10-2021 13:08
211004-qdgrjagden 10Analysis
-
max time kernel
119s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
04-10-2021 13:08
Behavioral task
behavioral1
Sample
df60102fff5974a55fb6d5f4683f2565b347a0412492514e07be9b03c7c856b7.dll
Resource
win7-en-20210920
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
df60102fff5974a55fb6d5f4683f2565b347a0412492514e07be9b03c7c856b7.dll
Resource
win10-en-20210920
windows10_x64
0 signatures
0 seconds
General
-
Target
df60102fff5974a55fb6d5f4683f2565b347a0412492514e07be9b03c7c856b7.dll
-
Size
660KB
-
MD5
ab756f154d266c8ba19bdfa8bcaf1b73
-
SHA1
3f174379229f9607c4be034cb545c9b4492ec9f5
-
SHA256
df60102fff5974a55fb6d5f4683f2565b347a0412492514e07be9b03c7c856b7
-
SHA512
19512e303fd7e65a5b4c78decb3c05b13a8b06f281f936a1e9e69a82b0e1c34d4173e59a2644c38f1c80a4974e4fcdc40c84c1c073cdc47932f525426b3db9b8
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3972 3680 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3972 WerFault.exe 3972 WerFault.exe 3972 WerFault.exe 3972 WerFault.exe 3972 WerFault.exe 3972 WerFault.exe 3972 WerFault.exe 3972 WerFault.exe 3972 WerFault.exe 3972 WerFault.exe 3972 WerFault.exe 3972 WerFault.exe 3972 WerFault.exe 3972 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3972 WerFault.exe Token: SeBackupPrivilege 3972 WerFault.exe Token: SeDebugPrivilege 3972 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3572 wrote to memory of 3680 3572 rundll32.exe rundll32.exe PID 3572 wrote to memory of 3680 3572 rundll32.exe rundll32.exe PID 3572 wrote to memory of 3680 3572 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\df60102fff5974a55fb6d5f4683f2565b347a0412492514e07be9b03c7c856b7.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\df60102fff5974a55fb6d5f4683f2565b347a0412492514e07be9b03c7c856b7.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 6003⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3680-115-0x0000000000000000-mapping.dmp