Analysis
-
max time kernel
144s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
24/01/2024, 21:02
Static task
static1
Behavioral task
behavioral1
Sample
72d95f3cb92089a8d3fca049a630d0ef30a431c83b2986a7af514e2639b1c846.dll
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
72d95f3cb92089a8d3fca049a630d0ef30a431c83b2986a7af514e2639b1c846.dll
Resource
win10v2004-20231222-en
General
-
Target
72d95f3cb92089a8d3fca049a630d0ef30a431c83b2986a7af514e2639b1c846.dll
-
Size
179KB
-
MD5
1f1a55e6fb038c90167c6c45146d5d92
-
SHA1
1a4e0f3d8156b6b126d673183e545773e1ab1b13
-
SHA256
72d95f3cb92089a8d3fca049a630d0ef30a431c83b2986a7af514e2639b1c846
-
SHA512
59d6e623134784350d1d5e5b1020483abd0d2b163611656242cad8423c5f9bb480a053a5c740d1d4e1abbdad8a615c751be1d5262d9417488fc24a8d2f1fa1c0
-
SSDEEP
3072:3ncwv7ebBHoXcva8ZpZ4QWytYEazKHdoK5KixPt9QzHXO/lAXlUVqglM/:8VHoXhfwaOHaK5ng3pXyVre
Malware Config
Signatures
-
Program crash 2 IoCs
pid pid_target Process procid_target 4652 3852 WerFault.exe 21 4500 3852 WerFault.exe 21 -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4124 wrote to memory of 3852 4124 rundll32.exe 21 PID 4124 wrote to memory of 3852 4124 rundll32.exe 21 PID 4124 wrote to memory of 3852 4124 rundll32.exe 21
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\72d95f3cb92089a8d3fca049a630d0ef30a431c83b2986a7af514e2639b1c846.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\72d95f3cb92089a8d3fca049a630d0ef30a431c83b2986a7af514e2639b1c846.dll,#12⤵PID:3852
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 5483⤵
- Program crash
PID:4652
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 8283⤵
- Program crash
PID:4500
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3852 -ip 38521⤵PID:1092
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 3852 -ip 38521⤵PID:464