f9dc2f536e2b567243a87908f83b747ae131ee48847a0891b8b08232494f203b | Triage

Analysis

max time kernel
24s
max time network
26s
platform
windows7_x64
resource
win7v20201028
submitted
11-11-2020 11:15

Sharing

Report Analysis Logs

General

Target

f9dc2f536e2b567243a87908f83b747ae131ee48847a0891b8b08232494f203b.dll
Size

256KB
MD5

9089a4920bb8a74145400fd6944f3817
SHA1

b7220c3bf2c040a462348fcad5280d9337611819
SHA256

f9dc2f536e2b567243a87908f83b747ae131ee48847a0891b8b08232494f203b
SHA512

2b1922f982f830430aaa08f2d14d3107c140648193f80cb1cb214f5d5ac8a8a3ae31d46859491ade929e23f66a099a57e30fc47fb084a57be8f15ac157688586

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1272 1916 WerFault.exe rundll32.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

WerFault.exe

pid process

1272 WerFault.exe
1272 WerFault.exe
1272 WerFault.exe
1272 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1272 WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1916 wrote to memory of 1272	1916	rundll32.exe	WerFault.exe
PID 1916 wrote to memory of 1272	1916	rundll32.exe	WerFault.exe
PID 1916 wrote to memory of 1272	1916	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f9dc2f536e2b567243a87908f83b747ae131ee48847a0891b8b08232494f203b.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1916

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1916 -s 108
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1272

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1272-0-0x0000000000000000-mapping.dmp

Download
memory/1272-1-0x0000000001E30000-0x0000000001E41000-memory.dmp

Filesize
68KB

Download
memory/1272-2-0x0000000002770000-0x0000000002781000-memory.dmp

Filesize
68KB

Download