Analysis
-
max time kernel
117s -
max time network
122s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
27-12-2021 08:51
Static task
static1
Behavioral task
behavioral1
Sample
download.dat.dll
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
download.dat.dll
Resource
win10-en-20211208
windows10_x64
0 signatures
0 seconds
General
-
Target
download.dat.dll
-
Size
205KB
-
MD5
f1b9ce32bd51a386ad01b3c21562598a
-
SHA1
c51d70e9c65c0efac222bba50995df8392d8d79d
-
SHA256
bffe313600b5b3ed8962533c200d0c054f3e0e9db072e16472865f5319c8fae0
-
SHA512
62b3069c3a5991a11ae7834439c7ee77ecfa947cdc3a457bbfa313c338069319dce184855143f702fc6fa0a5b266bd31bf4a8910630838418261899a33868ffc
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1368 1680 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 1368 WerFault.exe 1368 WerFault.exe 1368 WerFault.exe 1368 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1368 WerFault.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1620 wrote to memory of 1680 1620 rundll32.exe rundll32.exe PID 1620 wrote to memory of 1680 1620 rundll32.exe rundll32.exe PID 1620 wrote to memory of 1680 1620 rundll32.exe rundll32.exe PID 1620 wrote to memory of 1680 1620 rundll32.exe rundll32.exe PID 1620 wrote to memory of 1680 1620 rundll32.exe rundll32.exe PID 1620 wrote to memory of 1680 1620 rundll32.exe rundll32.exe PID 1620 wrote to memory of 1680 1620 rundll32.exe rundll32.exe PID 1680 wrote to memory of 1368 1680 rundll32.exe WerFault.exe PID 1680 wrote to memory of 1368 1680 rundll32.exe WerFault.exe PID 1680 wrote to memory of 1368 1680 rundll32.exe WerFault.exe PID 1680 wrote to memory of 1368 1680 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\download.dat.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\download.dat.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 2323⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken