Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
01-12-2021 18:24
Static task
static1
Behavioral task
behavioral1
Sample
0x000100000001ab31-114.dat.dll
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
0x000100000001ab31-114.dat.dll
Resource
win10-en-20211104
Behavioral task
behavioral3
Sample
3020-116-0x0000000000400000-0x0000000000414000-memory.dmp.exe
Resource
win7-en-20211104
Behavioral task
behavioral4
Sample
3020-116-0x0000000000400000-0x0000000000414000-memory.dmp.exe
Resource
win10-en-20211014
General
-
Target
0x000100000001ab31-114.dat.dll
-
Size
11KB
-
MD5
fccff8cb7a1067e23fd2e2b63971a8e1
-
SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91
-
SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
-
SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1500 1176 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 1500 WerFault.exe 1500 WerFault.exe 1500 WerFault.exe 1500 WerFault.exe 1500 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1500 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1500 WerFault.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1060 wrote to memory of 1176 1060 rundll32.exe rundll32.exe PID 1060 wrote to memory of 1176 1060 rundll32.exe rundll32.exe PID 1060 wrote to memory of 1176 1060 rundll32.exe rundll32.exe PID 1060 wrote to memory of 1176 1060 rundll32.exe rundll32.exe PID 1060 wrote to memory of 1176 1060 rundll32.exe rundll32.exe PID 1060 wrote to memory of 1176 1060 rundll32.exe rundll32.exe PID 1060 wrote to memory of 1176 1060 rundll32.exe rundll32.exe PID 1176 wrote to memory of 1500 1176 rundll32.exe WerFault.exe PID 1176 wrote to memory of 1500 1176 rundll32.exe WerFault.exe PID 1176 wrote to memory of 1500 1176 rundll32.exe WerFault.exe PID 1176 wrote to memory of 1500 1176 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0x000100000001ab31-114.dat.dll,#1
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0x000100000001ab31-114.dat.dll,#1
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 224
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken