Analysis
-
max time kernel
136s -
max time network
146s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 01:38
Static task
static1
Behavioral task
behavioral1
Sample
8a43b042a95595a00bb4ddef4cddc3a164b38ef0dbd3818f896aa42657c08374.dll
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
8a43b042a95595a00bb4ddef4cddc3a164b38ef0dbd3818f896aa42657c08374.dll
Resource
win10-en-20211208
windows10_x64
0 signatures
0 seconds
General
-
Target
8a43b042a95595a00bb4ddef4cddc3a164b38ef0dbd3818f896aa42657c08374.dll
-
Size
164KB
-
MD5
53b5ee7a1b766ee06a8227bb0808f140
-
SHA1
8de198317b0fc937cf0f3b679ca12b0994d05583
-
SHA256
8a43b042a95595a00bb4ddef4cddc3a164b38ef0dbd3818f896aa42657c08374
-
SHA512
a497a71ac75e77646a414b04a07a60a1a57bf956a481c479980c9a6b0f9779af8f0347e8cf6870c381580fd2c72d408bbb963712f1b7c31e2f920de4b131e0c9
Score
10/10
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 2748 created 3092 2748 WerFault.exe rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2748 3092 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WerFault.exepid process 2748 WerFault.exe 2748 WerFault.exe 2748 WerFault.exe 2748 WerFault.exe 2748 WerFault.exe 2748 WerFault.exe 2748 WerFault.exe 2748 WerFault.exe 2748 WerFault.exe 2748 WerFault.exe 2748 WerFault.exe 2748 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2748 WerFault.exe Token: SeBackupPrivilege 2748 WerFault.exe Token: SeDebugPrivilege 2748 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3100 wrote to memory of 3092 3100 rundll32.exe rundll32.exe PID 3100 wrote to memory of 3092 3100 rundll32.exe rundll32.exe PID 3100 wrote to memory of 3092 3100 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8a43b042a95595a00bb4ddef4cddc3a164b38ef0dbd3818f896aa42657c08374.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8a43b042a95595a00bb4ddef4cddc3a164b38ef0dbd3818f896aa42657c08374.dll,#12⤵PID:3092
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3092 -s 7203⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2748