Analysis
-
max time kernel
124s -
max time network
144s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 01:24
Static task
static1
Behavioral task
behavioral1
Sample
a683598387e9e27fb515703b28b7d7abff0f38c78b172c148a4cc71339896cf2.dll
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
a683598387e9e27fb515703b28b7d7abff0f38c78b172c148a4cc71339896cf2.dll
Resource
win10-en-20211208
windows10_x64
0 signatures
0 seconds
General
-
Target
a683598387e9e27fb515703b28b7d7abff0f38c78b172c148a4cc71339896cf2.dll
-
Size
164KB
-
MD5
63b4982a662c0de086d77a627a8765b1
-
SHA1
fc4fd68c29463a123891158bbad80f581a12473a
-
SHA256
a683598387e9e27fb515703b28b7d7abff0f38c78b172c148a4cc71339896cf2
-
SHA512
5b8a953f8aee68f932477d203c9ddb1f8a0c77cc548a8c004ae972ad2886c076088c2f0b808d0b026607a78b573e18781f9a2fb3fc456a4ad477e858853eae92
Score
10/10
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 2716 created 2820 2716 WerFault.exe rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2716 2820 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WerFault.exepid process 2716 WerFault.exe 2716 WerFault.exe 2716 WerFault.exe 2716 WerFault.exe 2716 WerFault.exe 2716 WerFault.exe 2716 WerFault.exe 2716 WerFault.exe 2716 WerFault.exe 2716 WerFault.exe 2716 WerFault.exe 2716 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2716 WerFault.exe Token: SeBackupPrivilege 2716 WerFault.exe Token: SeDebugPrivilege 2716 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3048 wrote to memory of 2820 3048 rundll32.exe rundll32.exe PID 3048 wrote to memory of 2820 3048 rundll32.exe rundll32.exe PID 3048 wrote to memory of 2820 3048 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a683598387e9e27fb515703b28b7d7abff0f38c78b172c148a4cc71339896cf2.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a683598387e9e27fb515703b28b7d7abff0f38c78b172c148a4cc71339896cf2.dll,#12⤵PID:2820
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 8283⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2716