Analysis
-
max time kernel
137s -
max time network
168s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 00:41
Static task
static1
Behavioral task
behavioral1
Sample
f9d9a87e00ec85047f0a85828cf5fb137c3e129ea172c3b5fa9058c2748014da.dll
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
f9d9a87e00ec85047f0a85828cf5fb137c3e129ea172c3b5fa9058c2748014da.dll
Resource
win10-en-20211208
windows10_x64
0 signatures
0 seconds
General
-
Target
f9d9a87e00ec85047f0a85828cf5fb137c3e129ea172c3b5fa9058c2748014da.dll
-
Size
166KB
-
MD5
9b6fd908b479e506b97036d8cd655db4
-
SHA1
ccf5d1df83fba4f013a56b589d1d5ee5e4e761f2
-
SHA256
f9d9a87e00ec85047f0a85828cf5fb137c3e129ea172c3b5fa9058c2748014da
-
SHA512
4ed0cedc753112b0e6a9238c1a709e1a8966b8d470c55ddc59b6cc262e9a7bc59c8542a68a9c74313401c27d712b5fb6060ea30dd1620221a64b0ae05d2a82b3
Score
10/10
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 4168 created 4020 4168 WerFault.exe rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4168 4020 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WerFault.exepid process 4168 WerFault.exe 4168 WerFault.exe 4168 WerFault.exe 4168 WerFault.exe 4168 WerFault.exe 4168 WerFault.exe 4168 WerFault.exe 4168 WerFault.exe 4168 WerFault.exe 4168 WerFault.exe 4168 WerFault.exe 4168 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 4168 WerFault.exe Token: SeBackupPrivilege 4168 WerFault.exe Token: SeDebugPrivilege 4168 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4064 wrote to memory of 4020 4064 rundll32.exe rundll32.exe PID 4064 wrote to memory of 4020 4064 rundll32.exe rundll32.exe PID 4064 wrote to memory of 4020 4064 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f9d9a87e00ec85047f0a85828cf5fb137c3e129ea172c3b5fa9058c2748014da.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f9d9a87e00ec85047f0a85828cf5fb137c3e129ea172c3b5fa9058c2748014da.dll,#12⤵PID:4020
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 8683⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4168