Analysis
-
max time kernel
175s -
max time network
175s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 01:39
Static task
static1
Behavioral task
behavioral1
Sample
87c9af30e4480f00871bfc3df9b9e60b4893579cc5392ebf4fcb96ab5ba1c851.dll
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
87c9af30e4480f00871bfc3df9b9e60b4893579cc5392ebf4fcb96ab5ba1c851.dll
Resource
win10-en-20211208
windows10_x64
0 signatures
0 seconds
General
-
Target
87c9af30e4480f00871bfc3df9b9e60b4893579cc5392ebf4fcb96ab5ba1c851.dll
-
Size
164KB
-
MD5
3fdf7b8a34ece9a0a844749262415a93
-
SHA1
42668023abd7c4eab24909adb101826af897320e
-
SHA256
87c9af30e4480f00871bfc3df9b9e60b4893579cc5392ebf4fcb96ab5ba1c851
-
SHA512
2dfa4f9a5c98bf2c85faefd859bef7719c53c914d718f4531ee6a68806a40ad7157491dcf948a1a4e7b890f7d8ca5d7ea662b42adffb85d9795d7d0463d155c4
Score
10/10
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 2976 created 3044 2976 WerFault.exe rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2976 3044 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WerFault.exepid process 2976 WerFault.exe 2976 WerFault.exe 2976 WerFault.exe 2976 WerFault.exe 2976 WerFault.exe 2976 WerFault.exe 2976 WerFault.exe 2976 WerFault.exe 2976 WerFault.exe 2976 WerFault.exe 2976 WerFault.exe 2976 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2976 WerFault.exe Token: SeBackupPrivilege 2976 WerFault.exe Token: SeDebugPrivilege 2976 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 2344 wrote to memory of 3044 2344 rundll32.exe rundll32.exe PID 2344 wrote to memory of 3044 2344 rundll32.exe rundll32.exe PID 2344 wrote to memory of 3044 2344 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\87c9af30e4480f00871bfc3df9b9e60b4893579cc5392ebf4fcb96ab5ba1c851.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\87c9af30e4480f00871bfc3df9b9e60b4893579cc5392ebf4fcb96ab5ba1c851.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 7963⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken