Resubmissions
17-11-2023 10:10
231117-l7lv5ahg41 312-10-2021 17:50
211012-weydkachb3 1004-10-2021 13:08
211004-qdgrjagden 10Analysis
-
max time kernel
147s -
max time network
134s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
12-10-2021 17:50
Behavioral task
behavioral1
Sample
df60102fff5974a55fb6d5f4683f2565b347a0412492514e07be9b03c7c856b7.dll
Resource
win7-en-20210920
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
df60102fff5974a55fb6d5f4683f2565b347a0412492514e07be9b03c7c856b7.dll
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
df60102fff5974a55fb6d5f4683f2565b347a0412492514e07be9b03c7c856b7.dll
-
Size
660KB
-
MD5
ab756f154d266c8ba19bdfa8bcaf1b73
-
SHA1
3f174379229f9607c4be034cb545c9b4492ec9f5
-
SHA256
df60102fff5974a55fb6d5f4683f2565b347a0412492514e07be9b03c7c856b7
-
SHA512
19512e303fd7e65a5b4c78decb3c05b13a8b06f281f936a1e9e69a82b0e1c34d4173e59a2644c38f1c80a4974e4fcdc40c84c1c073cdc47932f525426b3db9b8
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1188 3868 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
WerFault.exepid process 1188 WerFault.exe 1188 WerFault.exe 1188 WerFault.exe 1188 WerFault.exe 1188 WerFault.exe 1188 WerFault.exe 1188 WerFault.exe 1188 WerFault.exe 1188 WerFault.exe 1188 WerFault.exe 1188 WerFault.exe 1188 WerFault.exe 1188 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1188 WerFault.exe Token: SeBackupPrivilege 1188 WerFault.exe Token: SeDebugPrivilege 1188 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1456 wrote to memory of 3868 1456 rundll32.exe rundll32.exe PID 1456 wrote to memory of 3868 1456 rundll32.exe rundll32.exe PID 1456 wrote to memory of 3868 1456 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\df60102fff5974a55fb6d5f4683f2565b347a0412492514e07be9b03c7c856b7.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\df60102fff5974a55fb6d5f4683f2565b347a0412492514e07be9b03c7c856b7.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 6003⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3868-114-0x0000000000000000-mapping.dmp