Analysis
-
max time kernel
91s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
07-06-2022 03:15
Static task
static1
Behavioral task
behavioral1
Sample
9a3272b007dd5ecdaf7418403c03eadbd253e2927e83859ae78740f28bda890a.dll
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
9a3272b007dd5ecdaf7418403c03eadbd253e2927e83859ae78740f28bda890a.dll
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
9a3272b007dd5ecdaf7418403c03eadbd253e2927e83859ae78740f28bda890a.dll
-
Size
203KB
-
MD5
1d8d086225b094ee00f3f4ef466cec6b
-
SHA1
64a9a1eb833809ceaa756c83cec4e2cc93e509a8
-
SHA256
9a3272b007dd5ecdaf7418403c03eadbd253e2927e83859ae78740f28bda890a
-
SHA512
fe977bafa9e19319802f64f44a14bd0ecbec78d8478cdfff00029c9170fd88d1b92fca35b7e19a83af6269636f6403c0a145b78d8f63844cf17f56b5ea180a35
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4168 4112 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3040 wrote to memory of 4112 3040 rundll32.exe rundll32.exe PID 3040 wrote to memory of 4112 3040 rundll32.exe rundll32.exe PID 3040 wrote to memory of 4112 3040 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9a3272b007dd5ecdaf7418403c03eadbd253e2927e83859ae78740f28bda890a.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9a3272b007dd5ecdaf7418403c03eadbd253e2927e83859ae78740f28bda890a.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 6323⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4112 -ip 41121⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4112-130-0x0000000000000000-mapping.dmp