Analysis
-
max time kernel
143s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
01-02-2022 12:40
Static task
static1
Behavioral task
behavioral1
Sample
e29f14ed1dc3b16a16114912695d69e7a952ca0c51374c59618bfedeac56b43a.dll
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
General
-
Target
e29f14ed1dc3b16a16114912695d69e7a952ca0c51374c59618bfedeac56b43a.dll
-
Size
22KB
-
MD5
a469d5403003584e71c5e5bdbfc5d4e4
-
SHA1
adf569be634c8bd03cc1948042499545a1bd1996
-
SHA256
e29f14ed1dc3b16a16114912695d69e7a952ca0c51374c59618bfedeac56b43a
-
SHA512
fabdb31756703f80cf168ee43f47e1538b43e02e4f9ac648c852aa7da3b87add8aaad1a08865ff2d8f2f1e48d4122fe7faf67453924885badad63df8c2f4c15a
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
Processes:
WerFault.exeWerFault.exedescription pid process target process PID 2852 created 1552 2852 WerFault.exe rundll32.exe PID 1076 created 1552 1076 WerFault.exe rundll32.exe -
Nloader Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1552-130-0x0000000010000000-0x0000000010007000-memory.dmp nloader behavioral2/memory/1552-132-0x00000000029F0000-0x00000000029F5000-memory.dmp nloader -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 22 1552 rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2452 1552 WerFault.exe rundll32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
WerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
WerFault.exepid process 2452 WerFault.exe 2452 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2452 WerFault.exe Token: SeBackupPrivilege 2452 WerFault.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exeWerFault.exeWerFault.exedescription pid process target process PID 1868 wrote to memory of 1552 1868 rundll32.exe rundll32.exe PID 1868 wrote to memory of 1552 1868 rundll32.exe rundll32.exe PID 1868 wrote to memory of 1552 1868 rundll32.exe rundll32.exe PID 2852 wrote to memory of 1552 2852 WerFault.exe rundll32.exe PID 2852 wrote to memory of 1552 2852 WerFault.exe rundll32.exe PID 1076 wrote to memory of 1552 1076 WerFault.exe rundll32.exe PID 1076 wrote to memory of 1552 1076 WerFault.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e29f14ed1dc3b16a16114912695d69e7a952ca0c51374c59618bfedeac56b43a.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e29f14ed1dc3b16a16114912695d69e7a952ca0c51374c59618bfedeac56b43a.dll,#12⤵
- Blocklisted process makes network request
PID:1552 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 8123⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2452
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1552 -ip 15521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:2852
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1552 -ip 15521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:1076