Analysis
-
max time kernel
118s -
max time network
145s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
01-11-2021 23:10
Static task
static1
Behavioral task
behavioral1
Sample
1fb8a2e53470ab81629bb7abeda6211ad814bbc3038f8abf001e8b3f21fc14ec.dll
Resource
win7-en-20210920
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
1fb8a2e53470ab81629bb7abeda6211ad814bbc3038f8abf001e8b3f21fc14ec.dll
Resource
win10-en-20211014
windows10_x64
0 signatures
0 seconds
General
-
Target
1fb8a2e53470ab81629bb7abeda6211ad814bbc3038f8abf001e8b3f21fc14ec.dll
-
Size
2.5MB
-
MD5
f87f5ddd8086130c876d84396ae61d16
-
SHA1
c2a0e84fa60dfc54c02b162462b3585a3b12a93d
-
SHA256
1fb8a2e53470ab81629bb7abeda6211ad814bbc3038f8abf001e8b3f21fc14ec
-
SHA512
80f71715f317750e1d4f0b414c40b97cba24bf560c2ba55a5ad4d774b3ddebfe82a2ec4b56baede41abacffcc315cb46995a5f8199bd9acd35654d27b679e519
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4032 3384 WerFault.exe regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WerFault.exepid process 4032 WerFault.exe 4032 WerFault.exe 4032 WerFault.exe 4032 WerFault.exe 4032 WerFault.exe 4032 WerFault.exe 4032 WerFault.exe 4032 WerFault.exe 4032 WerFault.exe 4032 WerFault.exe 4032 WerFault.exe 4032 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 4032 WerFault.exe Token: SeBackupPrivilege 4032 WerFault.exe Token: SeDebugPrivilege 4032 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
regsvr32.exedescription pid process target process PID 3168 wrote to memory of 3384 3168 regsvr32.exe regsvr32.exe PID 3168 wrote to memory of 3384 3168 regsvr32.exe regsvr32.exe PID 3168 wrote to memory of 3384 3168 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\1fb8a2e53470ab81629bb7abeda6211ad814bbc3038f8abf001e8b3f21fc14ec.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\1fb8a2e53470ab81629bb7abeda6211ad814bbc3038f8abf001e8b3f21fc14ec.dll2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3384 -s 6123⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken