Analysis
-
max time kernel
121s -
max time network
153s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 02:20
Static task
static1
Behavioral task
behavioral1
Sample
2fa7b5a60cd1a8b67b09a13e09529fe399d2f3f62c5591badaccf5d3a052289f.dll
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
2fa7b5a60cd1a8b67b09a13e09529fe399d2f3f62c5591badaccf5d3a052289f.dll
Resource
win10-en-20211208
windows10_x64
0 signatures
0 seconds
General
-
Target
2fa7b5a60cd1a8b67b09a13e09529fe399d2f3f62c5591badaccf5d3a052289f.dll
-
Size
164KB
-
MD5
5fa2e3adcd15792d66654130fcf47744
-
SHA1
1df8a5fb27139fb5ca5cf0f5921e4e9808ee97a1
-
SHA256
2fa7b5a60cd1a8b67b09a13e09529fe399d2f3f62c5591badaccf5d3a052289f
-
SHA512
41ddd0647a56174e9953322236892a4b6db133503bf6421b6dcfa24f103f584be0e6000fe574e69293468b72e4191bd95a18dbaa9add6fc11ce20b022c0aa37e
Score
10/10
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 1600 created 3692 1600 WerFault.exe rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1600 3692 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WerFault.exepid process 1600 WerFault.exe 1600 WerFault.exe 1600 WerFault.exe 1600 WerFault.exe 1600 WerFault.exe 1600 WerFault.exe 1600 WerFault.exe 1600 WerFault.exe 1600 WerFault.exe 1600 WerFault.exe 1600 WerFault.exe 1600 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1600 WerFault.exe Token: SeBackupPrivilege 1600 WerFault.exe Token: SeDebugPrivilege 1600 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1284 wrote to memory of 3692 1284 rundll32.exe rundll32.exe PID 1284 wrote to memory of 3692 1284 rundll32.exe rundll32.exe PID 1284 wrote to memory of 3692 1284 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2fa7b5a60cd1a8b67b09a13e09529fe399d2f3f62c5591badaccf5d3a052289f.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2fa7b5a60cd1a8b67b09a13e09529fe399d2f3f62c5591badaccf5d3a052289f.dll,#12⤵PID:3692
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3692 -s 8123⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1600