05d7313674fbfe1448cff6ce396458ea2cbc74d67be1ca00ae5532790be060b8 | Triage

Analysis

max time kernel
6s
max time network
13s
platform
windows7_x64
resource
win7v20201028
submitted
11-11-2020 10:55

Sharing

Report Analysis Logs

General

Target

05d7313674fbfe1448cff6ce396458ea2cbc74d67be1ca00ae5532790be060b8.dll
Size

256KB
MD5

8323642eddd9f2fc8dd4c29daa8c0538
SHA1

3c12a3d6021f7a8618b01400e17ef03ece150716
SHA256

05d7313674fbfe1448cff6ce396458ea2cbc74d67be1ca00ae5532790be060b8
SHA512

c0465dfa743412eff9ec4147945d79e30ca3409dc36791d03226fee99639c60a6261acd81c1d9cd28c9f71ee748dbe95c6536e3c391dae1718c7b312b2e51e79

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1272 1816 WerFault.exe rundll32.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

WerFault.exe

pid process

1272 WerFault.exe
1272 WerFault.exe
1272 WerFault.exe
1272 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1272 WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1816 wrote to memory of 1272	1816	rundll32.exe	WerFault.exe
PID 1816 wrote to memory of 1272	1816	rundll32.exe	WerFault.exe
PID 1816 wrote to memory of 1272	1816	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\05d7313674fbfe1448cff6ce396458ea2cbc74d67be1ca00ae5532790be060b8.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1816 -s 108
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1272

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1272-0-0x0000000000000000-mapping.dmp

Download
memory/1272-1-0x0000000001F70000-0x0000000001F81000-memory.dmp

Filesize
68KB

Download
memory/1272-2-0x0000000002720000-0x0000000002731000-memory.dmp

Filesize
68KB

Download