Analysis
-
max time kernel
144s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 01:17
Static task
static1
Behavioral task
behavioral1
Sample
b2bdb89e7f66ff7bb2bc784e511346f9e0437fa0db0a22f3413283bedc610933.dll
Resource
win7-en-20211208
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
b2bdb89e7f66ff7bb2bc784e511346f9e0437fa0db0a22f3413283bedc610933.dll
Resource
win10-en-20211208
0 signatures
0 seconds
General
-
Target
b2bdb89e7f66ff7bb2bc784e511346f9e0437fa0db0a22f3413283bedc610933.dll
-
Size
164KB
-
MD5
c27bbe2a8ae596a72ddffb87649bf472
-
SHA1
0e5da9ec26b764caf2f54bc99967346ab47f7e9f
-
SHA256
b2bdb89e7f66ff7bb2bc784e511346f9e0437fa0db0a22f3413283bedc610933
-
SHA512
4b4b09f8d30462e4dfebb95e710dd1016633b985b87b9ba5b02cfb445c0a4d72729764a4d6224c9606647840710c9facdcfa777c6007f89ae26848fa50c8c5a2
Score
10/10
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
Processes:
WerFault.exeWerFault.exedescription pid process target process PID 1712 created 2712 1712 WerFault.exe rundll32.exe PID 1476 created 2712 1476 WerFault.exe rundll32.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 1476 2712 WerFault.exe rundll32.exe 1712 2712 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WerFault.exepid process 1712 WerFault.exe 1712 WerFault.exe 1712 WerFault.exe 1712 WerFault.exe 1712 WerFault.exe 1712 WerFault.exe 1712 WerFault.exe 1712 WerFault.exe 1712 WerFault.exe 1712 WerFault.exe 1712 WerFault.exe 1712 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1712 WerFault.exe Token: SeBackupPrivilege 1712 WerFault.exe Token: SeDebugPrivilege 1712 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 2508 wrote to memory of 2712 2508 rundll32.exe rundll32.exe PID 2508 wrote to memory of 2712 2508 rundll32.exe rundll32.exe PID 2508 wrote to memory of 2712 2508 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b2bdb89e7f66ff7bb2bc784e511346f9e0437fa0db0a22f3413283bedc610933.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b2bdb89e7f66ff7bb2bc784e511346f9e0437fa0db0a22f3413283bedc610933.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 8603⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 7363⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken