Analysis
-
max time kernel
171s -
max time network
181s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 01:07
Static task
static1
Behavioral task
behavioral1
Sample
c53fa5f8345c7e15220f445f5babe995d7f49d8319fe99c5ebca4dc0b6d3c03a.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
c53fa5f8345c7e15220f445f5babe995d7f49d8319fe99c5ebca4dc0b6d3c03a.dll
Resource
win10-en-20211208
General
-
Target
c53fa5f8345c7e15220f445f5babe995d7f49d8319fe99c5ebca4dc0b6d3c03a.dll
-
Size
164KB
-
MD5
34c7caf74e06c60991d41df99ff387f4
-
SHA1
6a1ce2234360cc4d55100905581ef5370589498c
-
SHA256
c53fa5f8345c7e15220f445f5babe995d7f49d8319fe99c5ebca4dc0b6d3c03a
-
SHA512
85fa9b7ccafb2731777eab4f323f29920208e21de4630031f5d4e8c9bc9287254d1cf4af4662344ff15277dd44fb8d131469909d6de4352fda72638c2f6b4350
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 2252 created 920 2252 WerFault.exe rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2252 920 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WerFault.exepid process 2252 WerFault.exe 2252 WerFault.exe 2252 WerFault.exe 2252 WerFault.exe 2252 WerFault.exe 2252 WerFault.exe 2252 WerFault.exe 2252 WerFault.exe 2252 WerFault.exe 2252 WerFault.exe 2252 WerFault.exe 2252 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2252 WerFault.exe Token: SeBackupPrivilege 2252 WerFault.exe Token: SeDebugPrivilege 2252 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 800 wrote to memory of 920 800 rundll32.exe rundll32.exe PID 800 wrote to memory of 920 800 rundll32.exe rundll32.exe PID 800 wrote to memory of 920 800 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c53fa5f8345c7e15220f445f5babe995d7f49d8319fe99c5ebca4dc0b6d3c03a.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c53fa5f8345c7e15220f445f5babe995d7f49d8319fe99c5ebca4dc0b6d3c03a.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 7923⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/920-118-0x0000000003350000-0x000000000335A000-memory.dmpFilesize
40KB
-
memory/920-119-0x0000000004DE0000-0x0000000004E03000-memory.dmpFilesize
140KB
-
memory/920-120-0x0000000004DE0000-0x0000000004E03000-memory.dmpFilesize
140KB
-
memory/920-121-0x0000000004F90000-0x0000000004F91000-memory.dmpFilesize
4KB
-
memory/920-122-0x0000000004FA0000-0x0000000004FA6000-memory.dmpFilesize
24KB