4fb5e1b5eaa6a8f4ff3e80429adaa9f5af1dded814c724a7839f25636530d0e3 | Triage

Analysis

max time kernel
131s
max time network
70s
platform
windows10_x64
resource
win10v200430
submitted
20-07-2020 20:28

Sharing

Report Analysis Logs

General

Target

202.dll
Size

387KB
MD5

d807f97e41c73e54984ebe5a5228be7a
SHA1

3ee769477a72b6dbc39cfed759e6f58d16a96151
SHA256

4fb5e1b5eaa6a8f4ff3e80429adaa9f5af1dded814c724a7839f25636530d0e3
SHA512

36f1fd0b2d7efde2cbd2a76f2986517b3f1917fe3882f5eaf42cc1ac7087370969f6c2627b2662bc1a73f705c57d8a15a093a26a12ec9e479f693a58c46f6d81

Score

3^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1732 wrote to memory of 1864	1732	rundll32.exe	rundll32.exe
PID 1732 wrote to memory of 1864	1732	rundll32.exe	rundll32.exe
PID 1732 wrote to memory of 1864	1732	rundll32.exe	rundll32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2124 1864 WerFault.exe rundll32.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2124 WerFault.exe
Token: SeBackupPrivilege 2124 WerFault.exe
Token: SeDebugPrivilege 2124 WerFault.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
2124	WerFault.exe
2124	WerFault.exe
2124	WerFault.exe
2124	WerFault.exe
2124	WerFault.exe
2124	WerFault.exe
2124	WerFault.exe
2124	WerFault.exe
2124	WerFault.exe
2124	WerFault.exe
2124	WerFault.exe
2124	WerFault.exe
2124	WerFault.exe
2124	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\202.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\202.dll,#1
2⤵
PID:1864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1864 -s 624
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:2124

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1864-0-0x0000000000000000-mapping.dmp

Download
memory/1864-2-0x0000000000000000-mapping.dmp

Download
memory/1864-3-0x0000000000000000-mapping.dmp

Download
memory/1864-4-0x0000000000000000-mapping.dmp

Download
memory/2124-1-0x0000000004B10000-0x0000000004B11000-memory.dmp

Filesize
4KB

Download
memory/2124-5-0x0000000005500000-0x0000000005501000-memory.dmp

Filesize
4KB

Download