Analysis
-
max time kernel
131s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20220310-en -
submitted
21/03/2022, 12:17
Behavioral task
behavioral1
Sample
1808-57-0x0000000000170000-0x000000000017E000-memory.dll
Resource
win7-20220311-en
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
1808-57-0x0000000000170000-0x000000000017E000-memory.dll
Resource
win10v2004-20220310-en
0 signatures
0 seconds
General
-
Target
1808-57-0x0000000000170000-0x000000000017E000-memory.dll
-
Size
56KB
-
MD5
6f72ecaeaf6d8b0a06f0da5ae3754dbe
-
SHA1
42750e04efcfec1868d5d80287d212e7f2a2abb6
-
SHA256
15622fff703648c6b515892046f883f4737e55d08e11fec5bbfed084e922ce4c
-
SHA512
0c9c3c62d630bad4a3245b9e6b30133b6b78f8b0faa3d611ea4ce912d126f380bfbfc0149bdb6d79580acccd12980076165c7b4cc0787816cba2908b8124c3e7
Score
3/10
Malware Config
Signatures
-
Program crash 2 IoCs
pid pid_target Process procid_target 1744 4140 WerFault.exe 82 4612 3732 WerFault.exe 21 -
Modifies data under HKEY_USERS 6 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property\001800080F67B489 = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e00000000020000000000106600000001000020000000afe742e3b331d7a347bf94bf40535f6be2db3eb0f41c86361317b9cbe3b5a8ac000000000e8000000002000020000000e69324334b4c2169af8e1634fe6d59f48afbc5762bb4c8c7093fffd927bcc68a800000008531dc18771a7e58d16dcaaec9740747fd2faec943bfc547f453f838c1766e476776eadaf94f1dd32d7a2f252c43e2a336c3650d2c13e5ba7d37ff3c2eaca645840741b31f03455b7a6e1e3ec7f428ce11053eb6edcb602d085d87016a9b705e60a1f9e9fb91d136147e4a161689ff8a39fa7f01174f60fd22522ba073b9f76740000000f5850ba04759a54a051e290f27fab78308dbc26bbb5ebcf97f5f56fdbe79545c9d69644ab4c194ad55f1f41a6c2a41c4cfd98b593fae6809aa5776e7efceb6de svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5} svchost.exe Set value (data) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e000000000200000000001066000000010000200000004395b077919cddf31664d1b1ca976a8d78471336af33486fd3f1a8968e1b74e6000000000e8000000002000020000000280965c5aedc4e40fa55767c6cd99bcbe47419e0abadae34375a8472aa58674f100d0000b2273b22a2befc8c30c2086ef0dd5bca85038573c5bef233674b9b81fc38d8bc14a825bdda0acebe2a3a621a398bb2aa6f41e6740d0bb5488dc543c172b1fc9dbddbf34ecb5b828c337a310785f083ea7bdde52604b1d94f2d86c975e6abe19734a2329dac6e9303db1bfe54343ba17be3109c70a05924d9cc6a3e697d3f4d2e8d90fc70614f8a92bfb4066dd82d77a152b493123f9b14be5800bf4b71e3460d0c56f6a23f65f7ae2fc9a4e285da0ca8b5c0a016dd52b25fe6bcfb300f277f91b0cd41ce9c88a102bffecd1215ddf647af0fdcb55c4ceeb8f08d146e10cc2a36664cea3b894e499e6e4e3bf0d72bd5888d52adb7781b852105f3d6a5d4e7ff2bf609206dfeccbf9abb94add90fab819751225feb8e9eeee2d48a881a667cbcb60c457b6e1903206b7e47f6a314b7ca85c6c97631dd8078527ac4628d1bba52df258c9f14a8700713cd264c000c2c64419770d17f7ea4f3eff1b228f85635e2ebcc3f5831f2733ee10df7dc85a9231e70544db46fa7e791e07610aa5195afcb4bdfb419fc5b8017fedea3060077d67292234cd8020c3ef5d457a047fe11e7a5033b00dd8c31c273964b94868b57553116f7e00a7898ef956ace368d3d630de021e7f5a77ca620c129c981cf8bc463040692ec3c213974021d117470c66962fb26483fe24ed62c44ae51e9aa27ad45049d3f5c86be24c51ab8599e7cc58f7f50f76c90abc4250f40c8fafbb6801e24fee62082bda036ded6b16c399727629f5703a55336a321837bd64f56d795687016bf177bb9f990c80096ec5c14265eb5fdb4ef2a842954ae5aab3d5d55492562a9295310505102ec3f0da897fc940949177cd83a2d7d38d0a9d8a5de7a29e191b7a2c4eb4b1c65e6c3ba360edf647b6fbdb967ce268b9c21962b76c01f724af7e67ad1b88059ff577296af8c9c431e06ec6a14a2a6ece711c82e71ab142ef18a3dfa8eefd0039d721e0bb4260b4ff7e19250f397735e18b6982015695b28fcab9ce9a55a9bbcdc56f91bf80a69ee1fa94f5922361a905d4ffb175c439b6240223d7e6ab7ac3c008d995bdda5066944abb3352062c993bc8e500741d0786d214886a8c93a213f3f1c80956686f01a0092dca99d86d8179e256c995fa3d7741f1d30ceb9e4009ba04de8eb2ae64ba5f415fd84742365f7fa351b50ba1b3dca6dc1e738a896681eccfbb28b7f9d37f1ec3ca2a1d605f03998ab441f7d6b10219c4523ab293264320461c18a2f9cffdf9902420fbfc80c504f1036a599b91cbbe46f9104e93367dd9f6cafd83dca7270ec418725c84bae176b3d6fbe36168f23805b5d902180dec04d8a9d4d6bf9ca0ab9e209b1b788beb583f4baa112505b0be3d52b44389e362249e9244b233b118f5214a57e15484ba908ce7cdadc5000dba06503b81911167244e4e4858b099114c6ab477a1c722faec4d387d67a9b63b60778046cb8eb76bc566a23012d08eef8ec03db6ffb8eefb8374e90dacfae45649fae6261d8e69eb0667338999cbccf8661eb27e5b23e9664f3d85e023d30ac26fbf391f37812d71a524a3c8b00f1af78618b695fb3c2794e67fbe46dd543e43ff6567e89be677226b938cb0535655620fc28c8fcbb1d0bf38bc5bc86bf2cc0dd5a1b0467b9e355762baea4c7064722d31ad542e3ecf0d0eeff2d10bd3341abfe26569491d6de01f4a6e47e93ce790b6c41a2a85605491cf806e155931bf66f12fbe85afc7dfe81bc8be05ef7420731df2bec1a13e24aa38193bcbf6639ccefad9672bdb9b4c1997cf8eb37deb7c61070b9c30746d8dbda42b0224c31d32986c37782f00b63655a5ec100906bff62d89e0d030f692073bcab6b9c548a724d1bbac3e5f4c7a8af4570692ca3676ef63d3cb8c5fa48e4a93c8e4388b44fa4abe493fa397acb9e6fa3b71f6f27ca28bf2f99ab1895615137f085fd1cb8659022dad9328b5cc4dcee2534b685236676795d008533b3840c27f5d89e17320ec7651b1a8b99215456b73be09e388b08ca1d65ca0e67af35e503718e1d5bf774d8bd3301b6e71abdd186a9c4351de3d382e4c55851f4664843255f406658aa58569de9e727a7973041bedaedd9010c151d1808a1d6e5ecf2b1ea7706670e5f7eb3444449f6d85a7e3026452104ac0a4bcdc4ec5e37115f202a1baad6b2bd231ea85c50f17b537fe2c5c1cd15fe673af5c6eea2ed9ac8fabcf5fef36fd63dfe83e9e2bddebdac1de7daeddbc72af4ba0939a62c9484618e33774dfba207104d6bfb6427e4f16c424da9880cc4677615b8bf6ec4f42f5ba3d4d82e07b7eac52ff56bf7c573bcc4c5062d1b6f98e8aa817d899084a3975f84b802b3297937643f09e801936317eea17352621eced08eb94ec34496f95994be503ab9b9cc0d21c0285804ff6750923de8dc0fbfe51dc741b3d07ef30ce3e7c63439918f5a4bd75820ec6b61311cd9bbd475557fb827b9145fbeedff4878ff6a6e93b7121dd81a863d49506246ad6647dcdc4c0c0e72db2a316e0f1aa0281e93f9cbe4c15d7855f5b3699728ba350f4071268cb763f47ac69458453353eb83b92f5a93e4266de2a68e460113227bc16a6fcec80592aed3c0597ba2e401c90840d1a861fac9105a2e6c4824b81439e6b4f16efd1350eafeec0a8efbe17768ed89e2c9b6715c10570e9531b15f4dcba4d019531a506ce181bc71066b6161e48ff4a66d34365e67416a34c44819e49d8221e6e328de8f4f9bd68e961c3ea427266ec662557a86ca0267c721a91c006dd3bb4cc05b981bd376624caa0c3f78ad0fa8198a8eb94a1ef5a2182832788f2eb8d7e1432688bbced7d9b04443445b02056b55d2df164061946aac9767cc9690477863b4896caec5bcc89a16f771bcb76726fad0b52b2ccd3c31e253dc6331b5e96c7a2ae335ab444584b2d0a9907b6afbf14b55835aebfdb5e3eb34c17a511329f435bae878efecfddb7b9d1008ea7d5391c77438cd698f352507b76f5aeff12389800e4103a12a0b8022e49149d9b8ca5830f0caf114bd817a2493c09f0adeb71cf23d4fe00f7b3d6aeaff4d04c4e639855e1040e7dd36c295cc0cc9d2ed12e552e6eee9e87c038375569df51c1c26b740758df509fefdb836b4a0bf5bd8511b9261fa6649128ee190830898e46f4d7835c2a4a1bf3431d1d46196714a3f4fba3531645d4a2885941dcdb37dd3c7d409421243b6db0617a4abefd3e3466d942bd593a6be2d53e18163a11751da2b6a341cf2003f60be4d6b3b1246e7610db9a4d468ada681b60603bde72b6878ef877a98c9f21516916a02146ec0d50bf85e0c1128567eb6f22f226c4f6ef2dcdd1789e3ccfc022d68ff3c5353e6548e38839bfe8bc0c1cb2b0f33d6927a033c5741638972e6b48b3f9e7227685d76d344acf1162b22f294a51375294e52b669dfcc3f2bdcefb4da808dc9419b49d348253d7170f168559b8e6c629017551ddcc99498bd55f11198a39c89c4c856cc37024bc7889490bd6805ad00ccd7d72f725490d13c72c399cbf6801db592cb90daffe14e49bcb4214afc728cd756e5c5b4e83814cee0f8a53ca8c47efa4ea8c36ef5faf0adfd58da142503f5883bbd482f9923f44cc4f83d43aca4374b3e6370a4c51bfb1f19b19921c8a88d8bf1f055e0682bf3caa9d3275d3a32cfa6acca8d8af800b62dbd9ec0141b0b0c71ca22e6d3381c4824a42631f89823a6373eef26678cd19676df025058bb0b99ed81799964594870d4a41668fbeec0cf88d387a5107edfcc75f5d78115d37772e389ebb6a4dd42b57ccb2b4e54b24ac73c83e0b4197e3451aa51561ca4e82bb0ed0c26d3619415e86f90b662c3d8502509691cc8dfd583731284d22d3050a18fdd9562f2fb38d8cdf2121d22852bbf07bee03c17f5d768562ca779ab9e723fdabc1b333bf446610fb88aec7b0735ad46b54e3f74a36d2a6b355e685d1152f745f1af060adad923cd132639f118c5584c4c1fb1ee7b299ca230357ec04b83d4af62f29add85fe4471cb17ba754aece38430a70f4c537370ef21c81e16715174812ac0b64bf979791464485e056a8c54bced1297e5931517cfc89bcf790a203f6148652f3dbd9cdc8338fce664db363aeea37cdbdf2eab4dbd69d950f36925a27d1177431ec4b8e0aa445fb9f33226ea4495fcb7dd335d6018ff91366a1e89769ce4bf97a3879786faa2f5750bd5618ddaa4fee780476376abc77f75ee460413952dd1b7934e9944f0fc6fc2b31a376564848c5f6f689e555fc7d41ff442f573228f5ca0f7739ccbb870b41fefa59fdfa7ebd6be59afec591d2dd6a5af362b7625c9f7b5561471d1914cee5964aef65e3b18cc77f24eeda6fa7ad3d1838953524d50974eb3dfa05e8fdbf909a63f4beaaf6c2fefa91674f773077c525f83ebff9237e58b690d63cf79d3380b0fd0195997716a3dbab691d10a3048e1b215820279ba8b400797878e3bfa2aa79a4a237408c6904fc31c09d931f1fca1cb9f47f8941f1b1dc522ad4521a2bf8e3d68575955fb20cef451fc6f884719efa989bf6ca83d71d1804f1b22153a9ac55f281027614521a51a8ef2e5efb15e7720e5804b35d3d74efc9812e3d4b68da59de15c43fd878b6608522665cde68d04255639ba6d61993af08b7d190a95818393ead1c4b0ab8b0db4597e11c78a847945cf6ae5c587fbeae8810179ffe3f1c40d4b3e8fed767e6a1389a1d26d61304000000022941edaac3d218178eb2f32c85e6a5d67ef048a4e6920a61ecaa43653b14ddf5b6368fc726fd6e7a071673c6921a4592eaa83a215bfbc120c75a9d139d6ce75 svchost.exe Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceId = "001800080F67B489" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\ApplicationFlags = "1" svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Property svchost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3796 wrote to memory of 4140 3796 rundll32.exe 82 PID 3796 wrote to memory of 4140 3796 rundll32.exe 82 PID 3796 wrote to memory of 4140 3796 rundll32.exe 82
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1808-57-0x0000000000170000-0x000000000017E000-memory.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3796 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1808-57-0x0000000000170000-0x000000000017E000-memory.dll,#12⤵PID:4140
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 5603⤵
- Program crash
PID:1744
-
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
- Modifies data under HKEY_USERS
PID:632
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4140 -ip 41401⤵PID:1096
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 552 -p 3732 -ip 37321⤵PID:4476
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3732 -s 7801⤵
- Program crash
PID:4612