Analysis
-
max time kernel
119s -
max time network
131s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
28-01-2022 14:50
Static task
static1
Behavioral task
behavioral1
Sample
a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f.dll
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f.dll
Resource
win10-en-20211208
windows10_x64
0 signatures
0 seconds
General
-
Target
a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f.dll
-
Size
191KB
-
MD5
b50f30c551998532617a9b652af4d4b5
-
SHA1
a212808f1a9a45cdb2c4eb6284e284a94168e83f
-
SHA256
a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f
-
SHA512
afa9114f191af3da6ba5f4d4048d579aefd42cf81c4be07d7c9df38b81d89d76aba99e4906ac3eb1ed5c11b4d79d8f02a9fdc1cbb8a9a61ae0421a5c74408a06
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1668 1388 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 1668 WerFault.exe 1668 WerFault.exe 1668 WerFault.exe 1668 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1668 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1668 WerFault.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1700 wrote to memory of 1388 1700 rundll32.exe rundll32.exe PID 1700 wrote to memory of 1388 1700 rundll32.exe rundll32.exe PID 1700 wrote to memory of 1388 1700 rundll32.exe rundll32.exe PID 1700 wrote to memory of 1388 1700 rundll32.exe rundll32.exe PID 1700 wrote to memory of 1388 1700 rundll32.exe rundll32.exe PID 1700 wrote to memory of 1388 1700 rundll32.exe rundll32.exe PID 1700 wrote to memory of 1388 1700 rundll32.exe rundll32.exe PID 1388 wrote to memory of 1668 1388 rundll32.exe WerFault.exe PID 1388 wrote to memory of 1668 1388 rundll32.exe WerFault.exe PID 1388 wrote to memory of 1668 1388 rundll32.exe WerFault.exe PID 1388 wrote to memory of 1668 1388 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 2443⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken