Analysis
-
max time kernel
122s -
max time network
122s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
27-12-2021 09:13
Behavioral task
behavioral1
Sample
tmp/4301e7b9930f5dd947d54f9f3bf287eb4e925c31942ecf0eab4a0c79c29fd39d.exe.dll
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
tmp/4301e7b9930f5dd947d54f9f3bf287eb4e925c31942ecf0eab4a0c79c29fd39d.exe.dll
Resource
win10-en-20211208
windows10_x64
0 signatures
0 seconds
General
-
Target
tmp/4301e7b9930f5dd947d54f9f3bf287eb4e925c31942ecf0eab4a0c79c29fd39d.exe.dll
-
Size
132KB
-
MD5
7eff73c1b8448ce059f5b3be69ca05ca
-
SHA1
e7e851d35d466ce5302531749df6bcc8dcb46d6d
-
SHA256
4301e7b9930f5dd947d54f9f3bf287eb4e925c31942ecf0eab4a0c79c29fd39d
-
SHA512
da95c4518f109ef36ff09f7f468f8afc92f44686346ee0546be276fb9d77cecba7c60955d1a4ed170c7446bdd40fd0791ceb57e77531f13f1e33f221aec72b38
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4112 3528 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WerFault.exepid process 4112 WerFault.exe 4112 WerFault.exe 4112 WerFault.exe 4112 WerFault.exe 4112 WerFault.exe 4112 WerFault.exe 4112 WerFault.exe 4112 WerFault.exe 4112 WerFault.exe 4112 WerFault.exe 4112 WerFault.exe 4112 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 4112 WerFault.exe Token: SeBackupPrivilege 4112 WerFault.exe Token: SeDebugPrivilege 4112 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3536 wrote to memory of 3528 3536 rundll32.exe rundll32.exe PID 3536 wrote to memory of 3528 3536 rundll32.exe rundll32.exe PID 3536 wrote to memory of 3528 3536 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\tmp\4301e7b9930f5dd947d54f9f3bf287eb4e925c31942ecf0eab4a0c79c29fd39d.exe.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\tmp\4301e7b9930f5dd947d54f9f3bf287eb4e925c31942ecf0eab4a0c79c29fd39d.exe.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 6203⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3528-115-0x0000000000000000-mapping.dmp