Analysis
-
max time kernel
120s -
max time network
153s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-01-2022 08:00
Static task
static1
Behavioral task
behavioral1
Sample
15a682524e1fd120a22257f511731ee3ab821cfd84dec4441746aadc883b4e30.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
15a682524e1fd120a22257f511731ee3ab821cfd84dec4441746aadc883b4e30.dll
Resource
win10-en-20211208
General
-
Target
15a682524e1fd120a22257f511731ee3ab821cfd84dec4441746aadc883b4e30.dll
-
Size
166KB
-
MD5
44d4e81b71f5c9c23f51712a1027927d
-
SHA1
a93c45dfadbc619d12c0c55403e26f15c4da57d8
-
SHA256
15a682524e1fd120a22257f511731ee3ab821cfd84dec4441746aadc883b4e30
-
SHA512
985ca60df86a6c2be8c4359e056fb69aff548f650b952f913345d3a79bbada3098c87bd33c32d3a32061febd3bbf67c4305c317108c76c74c6aaf262c77f8e94
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 1280 created 2000 1280 WerFault.exe rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1280 2000 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WerFault.exepid process 1280 WerFault.exe 1280 WerFault.exe 1280 WerFault.exe 1280 WerFault.exe 1280 WerFault.exe 1280 WerFault.exe 1280 WerFault.exe 1280 WerFault.exe 1280 WerFault.exe 1280 WerFault.exe 1280 WerFault.exe 1280 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1280 WerFault.exe Token: SeBackupPrivilege 1280 WerFault.exe Token: SeDebugPrivilege 1280 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3080 wrote to memory of 2000 3080 rundll32.exe rundll32.exe PID 3080 wrote to memory of 2000 3080 rundll32.exe rundll32.exe PID 3080 wrote to memory of 2000 3080 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\15a682524e1fd120a22257f511731ee3ab821cfd84dec4441746aadc883b4e30.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\15a682524e1fd120a22257f511731ee3ab821cfd84dec4441746aadc883b4e30.dll,#12⤵PID:2000
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 8003⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1280
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2000-119-0x0000000001100000-0x0000000001101000-memory.dmpFilesize
4KB
-
memory/2000-118-0x0000000000980000-0x0000000000A2E000-memory.dmpFilesize
696KB
-
memory/2000-120-0x0000000001110000-0x0000000001111000-memory.dmpFilesize
4KB
-
memory/2000-121-0x0000000005A50000-0x0000000005A51000-memory.dmpFilesize
4KB
-
memory/2000-122-0x0000000005BB0000-0x0000000005BB6000-memory.dmpFilesize
24KB