Analysis
-
max time kernel
121s -
max time network
128s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
01-12-2021 18:24
Static task
static1
Behavioral task
behavioral1
Sample
0x000100000001ab31-114.dat.dll
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
0x000100000001ab31-114.dat.dll
Resource
win10-en-20211104
Behavioral task
behavioral3
Sample
3020-116-0x0000000000400000-0x0000000000414000-memory.dmp.exe
Resource
win7-en-20211104
Behavioral task
behavioral4
Sample
3020-116-0x0000000000400000-0x0000000000414000-memory.dmp.exe
Resource
win10-en-20211014
General
-
Target
3020-116-0x0000000000400000-0x0000000000414000-memory.dmp.exe
-
Size
80KB
-
MD5
01408ac403b5c33f965f650534f81a90
-
SHA1
a1a23e1978fd58c9189817cca50163b06618b3bf
-
SHA256
f6b73646a1f1e97dacae54aa9a294eb12c19a3fe5c4ed578787b55eaac3c8ac9
-
SHA512
add8587516e42cced4466497322026408b6fe10a24c2c78feaf03210879a02b5ca92193e69ec5b445da485246872854a0d966373b9963b1a5adfac5834134404
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4160 4384 WerFault.exe 3020-116-0x0000000000400000-0x0000000000414000-memory.dmp.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WerFault.exepid process 4160 WerFault.exe 4160 WerFault.exe 4160 WerFault.exe 4160 WerFault.exe 4160 WerFault.exe 4160 WerFault.exe 4160 WerFault.exe 4160 WerFault.exe 4160 WerFault.exe 4160 WerFault.exe 4160 WerFault.exe 4160 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 4160 WerFault.exe Token: SeBackupPrivilege 4160 WerFault.exe Token: SeDebugPrivilege 4160 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3020-116-0x0000000000400000-0x0000000000414000-memory.dmp.exe"C:\Users\Admin\AppData\Local\Temp\3020-116-0x0000000000400000-0x0000000000414000-memory.dmp.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 2202⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken