Analysis
-
max time kernel
162s -
max time network
177s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 00:56
Static task
static1
Behavioral task
behavioral1
Sample
d7a15f872a64811b74f40992df2f45f7f800ee88775e50cc0ab02d7d9247de51.dll
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
d7a15f872a64811b74f40992df2f45f7f800ee88775e50cc0ab02d7d9247de51.dll
Resource
win10-en-20211208
windows10_x64
0 signatures
0 seconds
General
-
Target
d7a15f872a64811b74f40992df2f45f7f800ee88775e50cc0ab02d7d9247de51.dll
-
Size
164KB
-
MD5
7d202172c49d60aa1847d90bd284114f
-
SHA1
1cab5eedcd7390806332a2f25d264e79395e1005
-
SHA256
d7a15f872a64811b74f40992df2f45f7f800ee88775e50cc0ab02d7d9247de51
-
SHA512
a4cc0b5645d44d13fab043b20602dc9730d36825f75df19743f1d26821dd1c5a7f86d4f2470702d46368032db72a3087484afff768ba7a3441029f75d91b5dfb
Score
3/10
Malware Config
Signatures
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3960 2176 WerFault.exe rundll32.exe 1016 2176 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WerFault.exepid process 1016 WerFault.exe 1016 WerFault.exe 1016 WerFault.exe 1016 WerFault.exe 1016 WerFault.exe 1016 WerFault.exe 1016 WerFault.exe 1016 WerFault.exe 1016 WerFault.exe 1016 WerFault.exe 1016 WerFault.exe 1016 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1016 WerFault.exe Token: SeBackupPrivilege 1016 WerFault.exe Token: SeDebugPrivilege 1016 WerFault.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1440 wrote to memory of 2176 1440 rundll32.exe rundll32.exe PID 1440 wrote to memory of 2176 1440 rundll32.exe rundll32.exe PID 1440 wrote to memory of 2176 1440 rundll32.exe rundll32.exe PID 2176 wrote to memory of 3960 2176 rundll32.exe WerFault.exe PID 2176 wrote to memory of 3960 2176 rundll32.exe WerFault.exe PID 2176 wrote to memory of 3960 2176 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d7a15f872a64811b74f40992df2f45f7f800ee88775e50cc0ab02d7d9247de51.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d7a15f872a64811b74f40992df2f45f7f800ee88775e50cc0ab02d7d9247de51.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 6523⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 6523⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken