Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
01-02-2022 08:59
Behavioral task
behavioral1
Sample
dea0b318ee9e32956ce033f216a072d6112b39dab20c5616d157ce524b38b994.dll
Resource
win7-en-20211208
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
dea0b318ee9e32956ce033f216a072d6112b39dab20c5616d157ce524b38b994.dll
Resource
win10v2004-en-20220113
0 signatures
0 seconds
General
-
Target
dea0b318ee9e32956ce033f216a072d6112b39dab20c5616d157ce524b38b994.dll
-
Size
64KB
-
MD5
d7871e818a404134fcd16f5e976f8fd3
-
SHA1
3bba35f05b2077d6fe62950957b00e90ac85359a
-
SHA256
dea0b318ee9e32956ce033f216a072d6112b39dab20c5616d157ce524b38b994
-
SHA512
f380a3009123fa979e7847a5c3318454b8fc5de12a7d9a18671cf463b3933000f48332091ca89005018bad460e2200905985655a7622f7542c771858cbd2fadf
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1660 1820 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 1660 WerFault.exe 1660 WerFault.exe 1660 WerFault.exe 1660 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1660 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1660 WerFault.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 524 wrote to memory of 1820 524 rundll32.exe rundll32.exe PID 524 wrote to memory of 1820 524 rundll32.exe rundll32.exe PID 524 wrote to memory of 1820 524 rundll32.exe rundll32.exe PID 524 wrote to memory of 1820 524 rundll32.exe rundll32.exe PID 524 wrote to memory of 1820 524 rundll32.exe rundll32.exe PID 524 wrote to memory of 1820 524 rundll32.exe rundll32.exe PID 524 wrote to memory of 1820 524 rundll32.exe rundll32.exe PID 1820 wrote to memory of 1660 1820 rundll32.exe WerFault.exe PID 1820 wrote to memory of 1660 1820 rundll32.exe WerFault.exe PID 1820 wrote to memory of 1660 1820 rundll32.exe WerFault.exe PID 1820 wrote to memory of 1660 1820 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dea0b318ee9e32956ce033f216a072d6112b39dab20c5616d157ce524b38b994.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dea0b318ee9e32956ce033f216a072d6112b39dab20c5616d157ce524b38b994.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 1963⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken