d2e8df83543dd192ac86bc1a085b62f6fcffb1ca8cead22febd4cec634089483 | Triage

Analysis

max time kernel
3s
max time network
10s
platform
windows7_x64
resource
win7v20201028
submitted
09-11-2020 12:50

Sharing

Report Analysis Logs

General

Target

d2e8df83543dd192ac86bc1a085b62f6fcffb1ca8cead22febd4cec634089483.dll
Size

244KB
MD5

5fd0510ba7ff98703473f3d4e72dd39e
SHA1

6572ec3ff1e71f1765f3852339b5a1d58dc00e0d
SHA256

d2e8df83543dd192ac86bc1a085b62f6fcffb1ca8cead22febd4cec634089483
SHA512

48c2aa8bca70469e1611c9b772e6c99163d95fdcec026021214c10c09ae2684eb79c1eaa080ceb2e10c956043168d166a3306da9fa78cc77cc53c6c01a1da739

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2032 372 WerFault.exe rundll32.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

WerFault.exe

pid process

2032 WerFault.exe
2032 WerFault.exe
2032 WerFault.exe
2032 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 2032 WerFault.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 752 wrote to memory of 372	752	rundll32.exe	rundll32.exe
PID 752 wrote to memory of 372	752	rundll32.exe	rundll32.exe
PID 752 wrote to memory of 372	752	rundll32.exe	rundll32.exe
PID 752 wrote to memory of 372	752	rundll32.exe	rundll32.exe
PID 752 wrote to memory of 372	752	rundll32.exe	rundll32.exe
PID 752 wrote to memory of 372	752	rundll32.exe	rundll32.exe
PID 752 wrote to memory of 372	752	rundll32.exe	rundll32.exe
PID 372 wrote to memory of 2032	372	rundll32.exe	WerFault.exe
PID 372 wrote to memory of 2032	372	rundll32.exe	WerFault.exe
PID 372 wrote to memory of 2032	372	rundll32.exe	WerFault.exe
PID 372 wrote to memory of 2032	372	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d2e8df83543dd192ac86bc1a085b62f6fcffb1ca8cead22febd4cec634089483.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d2e8df83543dd192ac86bc1a085b62f6fcffb1ca8cead22febd4cec634089483.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 372 -s 196
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2032

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/372-0-0x0000000000000000-mapping.dmp

Download
memory/372-3-0x0000000000000000-mapping.dmp

Download
memory/2032-1-0x0000000000000000-mapping.dmp

Download
memory/2032-2-0x0000000001E50000-0x0000000001E61000-memory.dmp

Filesize
68KB

Download
memory/2032-4-0x0000000002630000-0x0000000002641000-memory.dmp

Filesize
68KB

Download