Analysis
-
max time kernel
118s -
max time network
124s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
23-12-2021 09:04
Behavioral task
behavioral1
Sample
tmp/e9964d0f6bcb438ae78ffce9a93359a48de8c8150d7eadde22578385f9fb42ad.exe.dll
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
tmp/e9964d0f6bcb438ae78ffce9a93359a48de8c8150d7eadde22578385f9fb42ad.exe.dll
Resource
win10-en-20211208
windows10_x64
0 signatures
0 seconds
General
-
Target
tmp/e9964d0f6bcb438ae78ffce9a93359a48de8c8150d7eadde22578385f9fb42ad.exe.dll
-
Size
117KB
-
MD5
a44471e5bb6e5577698c0aff854f0bf1
-
SHA1
fee0a1f386c4b543d0de1797593ab04c17ae0262
-
SHA256
e9964d0f6bcb438ae78ffce9a93359a48de8c8150d7eadde22578385f9fb42ad
-
SHA512
6537f97a150544456f502270dc23320ff7f2e025d2bf808c5624a6a2d1c6a06a64c7651b421ab7bea297eeff86417eb0d48fda74231182841f8e4cc5c55de5e0
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2328 668 WerFault.exe regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WerFault.exepid process 2328 WerFault.exe 2328 WerFault.exe 2328 WerFault.exe 2328 WerFault.exe 2328 WerFault.exe 2328 WerFault.exe 2328 WerFault.exe 2328 WerFault.exe 2328 WerFault.exe 2328 WerFault.exe 2328 WerFault.exe 2328 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2328 WerFault.exe Token: SeBackupPrivilege 2328 WerFault.exe Token: SeDebugPrivilege 2328 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
regsvr32.exedescription pid process target process PID 3312 wrote to memory of 668 3312 regsvr32.exe regsvr32.exe PID 3312 wrote to memory of 668 3312 regsvr32.exe regsvr32.exe PID 3312 wrote to memory of 668 3312 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\tmp\e9964d0f6bcb438ae78ffce9a93359a48de8c8150d7eadde22578385f9fb42ad.exe.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\tmp\e9964d0f6bcb438ae78ffce9a93359a48de8c8150d7eadde22578385f9fb42ad.exe.dll2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 668 -s 6123⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/668-115-0x0000000000000000-mapping.dmp