Analysis
-
max time kernel
124s -
max time network
165s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 00:47
Static task
static1
Behavioral task
behavioral1
Sample
e77b1f4456e8e8709e8c0e0aff0003af3767ffe7846afa878664407831290743.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
e77b1f4456e8e8709e8c0e0aff0003af3767ffe7846afa878664407831290743.dll
Resource
win10-en-20211208
General
-
Target
e77b1f4456e8e8709e8c0e0aff0003af3767ffe7846afa878664407831290743.dll
-
Size
166KB
-
MD5
f2440c173c422378430d78028a504068
-
SHA1
f5fe9cd7f7572c44df92f75990ddfb7d28a52560
-
SHA256
e77b1f4456e8e8709e8c0e0aff0003af3767ffe7846afa878664407831290743
-
SHA512
b4697427d07de04479e5b689bc146fac49b0b869bd96f457016d76d563c052b3c716327f30201d0e4ef2f97b0d9e1a2e6af37449df8fd9618c3c7735f4538fd3
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 4016 created 3156 4016 WerFault.exe rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4016 3156 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WerFault.exepid process 4016 WerFault.exe 4016 WerFault.exe 4016 WerFault.exe 4016 WerFault.exe 4016 WerFault.exe 4016 WerFault.exe 4016 WerFault.exe 4016 WerFault.exe 4016 WerFault.exe 4016 WerFault.exe 4016 WerFault.exe 4016 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 4016 WerFault.exe Token: SeBackupPrivilege 4016 WerFault.exe Token: SeDebugPrivilege 4016 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 660 wrote to memory of 3156 660 rundll32.exe rundll32.exe PID 660 wrote to memory of 3156 660 rundll32.exe rundll32.exe PID 660 wrote to memory of 3156 660 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e77b1f4456e8e8709e8c0e0aff0003af3767ffe7846afa878664407831290743.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:660 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e77b1f4456e8e8709e8c0e0aff0003af3767ffe7846afa878664407831290743.dll,#12⤵PID:3156
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 8003⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4016
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3156-118-0x0000000000690000-0x000000000073E000-memory.dmpFilesize
696KB
-
memory/3156-119-0x00000000006B0000-0x00000000009F4000-memory.dmpFilesize
3.3MB
-
memory/3156-120-0x00000000006B0000-0x00000000009F4000-memory.dmpFilesize
3.3MB
-
memory/3156-121-0x0000000000E60000-0x0000000000E66000-memory.dmpFilesize
24KB