55bcab507b73fd2d184d9326b69553910c223b28e512707771818de96136c52f | Triage

Analysis

max time kernel
123s
max time network
147s
platform
windows10_x64
resource
win10v200430
submitted
19-05-2020 07:30

Sharing

Report Analysis Logs

General

Target

iTBDXzF.bin.dll
Size

2.8MB
MD5

5057e9d2ca0f7b22d18d9823b99c7cba
SHA1

dd671fa5e34d5b5b7f6dc6100f746f490b83db6e
SHA256

55bcab507b73fd2d184d9326b69553910c223b28e512707771818de96136c52f
SHA512

b696e8e0e2bdfc6e78db8e5bfbc63e8e5caf0e8e67217e9e54a91ace83e5647a328b8fd64e1210cfe6394982f4a804936f19fea3fbd04e337be83e620b2df380

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

7 2212 rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2668 1176 WerFault.exe rundll32.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
2668	WerFault.exe
2668	WerFault.exe
2668	WerFault.exe
2668	WerFault.exe
2668	WerFault.exe
2668	WerFault.exe
2668	WerFault.exe
2668	WerFault.exe
2668	WerFault.exe
2668	WerFault.exe
2668	WerFault.exe
2668	WerFault.exe
2668	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2668 WerFault.exe
Token: SeBackupPrivilege 2668 WerFault.exe
Token: SeDebugPrivilege 2668 WerFault.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2536 wrote to memory of 1176	2536	rundll32.exe	rundll32.exe
PID 2536 wrote to memory of 1176	2536	rundll32.exe	rundll32.exe
PID 2536 wrote to memory of 1176	2536	rundll32.exe	rundll32.exe
PID 1176 wrote to memory of 2212	1176	rundll32.exe	rundll32.exe
PID 1176 wrote to memory of 2212	1176	rundll32.exe	rundll32.exe
PID 1176 wrote to memory of 2212	1176	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\iTBDXzF.bin.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2536

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\iTBDXzF.bin.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1176

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\iTBDXzF.bin.dll,f0
3⤵
- Blocklisted process makes network request
PID:2212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 808
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2668

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2668-0-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/2668-2-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

Filesize
4KB

Download