Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
27-12-2021 08:51
Static task
static1
Behavioral task
behavioral1
Sample
download.dat.dll
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
download.dat.dll
Resource
win10-en-20211208
windows10_x64
0 signatures
0 seconds
General
-
Target
download.dat.dll
-
Size
205KB
-
MD5
f1b9ce32bd51a386ad01b3c21562598a
-
SHA1
c51d70e9c65c0efac222bba50995df8392d8d79d
-
SHA256
bffe313600b5b3ed8962533c200d0c054f3e0e9db072e16472865f5319c8fae0
-
SHA512
62b3069c3a5991a11ae7834439c7ee77ecfa947cdc3a457bbfa313c338069319dce184855143f702fc6fa0a5b266bd31bf4a8910630838418261899a33868ffc
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2020 2620 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WerFault.exepid process 2020 WerFault.exe 2020 WerFault.exe 2020 WerFault.exe 2020 WerFault.exe 2020 WerFault.exe 2020 WerFault.exe 2020 WerFault.exe 2020 WerFault.exe 2020 WerFault.exe 2020 WerFault.exe 2020 WerFault.exe 2020 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2020 WerFault.exe Token: SeBackupPrivilege 2020 WerFault.exe Token: SeDebugPrivilege 2020 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 2512 wrote to memory of 2620 2512 rundll32.exe rundll32.exe PID 2512 wrote to memory of 2620 2512 rundll32.exe rundll32.exe PID 2512 wrote to memory of 2620 2512 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\download.dat.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\download.dat.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 6363⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2620-115-0x0000000000000000-mapping.dmp