Analysis
-
max time kernel
166s -
max time network
179s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 00:54
Static task
static1
Behavioral task
behavioral1
Sample
da96c47a6a87fa4591bf6051b725fed00fa2341f557ee87dca3e60771604813b.dll
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
da96c47a6a87fa4591bf6051b725fed00fa2341f557ee87dca3e60771604813b.dll
Resource
win10-en-20211208
windows10_x64
0 signatures
0 seconds
General
-
Target
da96c47a6a87fa4591bf6051b725fed00fa2341f557ee87dca3e60771604813b.dll
-
Size
164KB
-
MD5
ed83157feac92ecba56a3300fd5c95c2
-
SHA1
a1e19156280a7d7b13659dff0fdcae643066c80c
-
SHA256
da96c47a6a87fa4591bf6051b725fed00fa2341f557ee87dca3e60771604813b
-
SHA512
50f97122a57824f9aaefa0debef0f56df5f737a74a991bc601c4356b75a98c0ee6a92f7fa0c279a573fe3ca73fc2ebd75e6d2d802fcf354d5f928450a40cc080
Score
10/10
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 3316 created 1484 3316 WerFault.exe rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3316 1484 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WerFault.exepid process 3316 WerFault.exe 3316 WerFault.exe 3316 WerFault.exe 3316 WerFault.exe 3316 WerFault.exe 3316 WerFault.exe 3316 WerFault.exe 3316 WerFault.exe 3316 WerFault.exe 3316 WerFault.exe 3316 WerFault.exe 3316 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3316 WerFault.exe Token: SeBackupPrivilege 3316 WerFault.exe Token: SeDebugPrivilege 3316 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1464 wrote to memory of 1484 1464 rundll32.exe rundll32.exe PID 1464 wrote to memory of 1484 1464 rundll32.exe rundll32.exe PID 1464 wrote to memory of 1484 1464 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\da96c47a6a87fa4591bf6051b725fed00fa2341f557ee87dca3e60771604813b.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\da96c47a6a87fa4591bf6051b725fed00fa2341f557ee87dca3e60771604813b.dll,#12⤵PID:1484
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 8003⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3316