Analysis
-
max time kernel
171s -
max time network
181s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 01:07
Static task
static1
Behavioral task
behavioral1
Sample
c53fa5f8345c7e15220f445f5babe995d7f49d8319fe99c5ebca4dc0b6d3c03a.dll
Resource
win7-en-20211208
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
c53fa5f8345c7e15220f445f5babe995d7f49d8319fe99c5ebca4dc0b6d3c03a.dll
Resource
win10-en-20211208
0 signatures
0 seconds
General
-
Target
c53fa5f8345c7e15220f445f5babe995d7f49d8319fe99c5ebca4dc0b6d3c03a.dll
-
Size
164KB
-
MD5
34c7caf74e06c60991d41df99ff387f4
-
SHA1
6a1ce2234360cc4d55100905581ef5370589498c
-
SHA256
c53fa5f8345c7e15220f445f5babe995d7f49d8319fe99c5ebca4dc0b6d3c03a
-
SHA512
85fa9b7ccafb2731777eab4f323f29920208e21de4630031f5d4e8c9bc9287254d1cf4af4662344ff15277dd44fb8d131469909d6de4352fda72638c2f6b4350
Score
10/10
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
description pid Process procid_target PID 2252 created 920 2252 WerFault.exe 68 -
Program crash 1 IoCs
pid pid_target Process procid_target 2252 920 WerFault.exe 68 -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2252 WerFault.exe 2252 WerFault.exe 2252 WerFault.exe 2252 WerFault.exe 2252 WerFault.exe 2252 WerFault.exe 2252 WerFault.exe 2252 WerFault.exe 2252 WerFault.exe 2252 WerFault.exe 2252 WerFault.exe 2252 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 2252 WerFault.exe Token: SeBackupPrivilege 2252 WerFault.exe Token: SeDebugPrivilege 2252 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 800 wrote to memory of 920 800 rundll32.exe 68 PID 800 wrote to memory of 920 800 rundll32.exe 68 PID 800 wrote to memory of 920 800 rundll32.exe 68
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c53fa5f8345c7e15220f445f5babe995d7f49d8319fe99c5ebca4dc0b6d3c03a.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c53fa5f8345c7e15220f445f5babe995d7f49d8319fe99c5ebca4dc0b6d3c03a.dll,#12⤵PID:920
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 7923⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2252
-
-