48e98e255cb583b4009558b8ef7206846f4daae4e65422cc9a500c4fcc939e7c | Triage

Analysis

max time kernel
124s
max time network
126s
platform
windows7_x64
resource
win7v20201028
submitted
11-11-2020 11:13

Sharing

Report Analysis Logs

General

Target

48e98e255cb583b4009558b8ef7206846f4daae4e65422cc9a500c4fcc939e7c.dll
Size

244KB
MD5

608059c39c883043b95924f842608db0
SHA1

a9434b984714cfa639b182ed08657e95edf0ae2b
SHA256

48e98e255cb583b4009558b8ef7206846f4daae4e65422cc9a500c4fcc939e7c
SHA512

6367170475d0efd1b68fee6624446659af097cf17c3d099c37a76e86f4d9f322289f4c7a4978642fed68c061ee15cfe8c5060bfa1e54682a4881bbeb2b135166

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1060 1156 WerFault.exe rundll32.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

WerFault.exe

pid process

1060 WerFault.exe
1060 WerFault.exe
1060 WerFault.exe
1060 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1060 WerFault.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1080 wrote to memory of 1156	1080	rundll32.exe	rundll32.exe
PID 1080 wrote to memory of 1156	1080	rundll32.exe	rundll32.exe
PID 1080 wrote to memory of 1156	1080	rundll32.exe	rundll32.exe
PID 1080 wrote to memory of 1156	1080	rundll32.exe	rundll32.exe
PID 1080 wrote to memory of 1156	1080	rundll32.exe	rundll32.exe
PID 1080 wrote to memory of 1156	1080	rundll32.exe	rundll32.exe
PID 1080 wrote to memory of 1156	1080	rundll32.exe	rundll32.exe
PID 1156 wrote to memory of 1060	1156	rundll32.exe	WerFault.exe
PID 1156 wrote to memory of 1060	1156	rundll32.exe	WerFault.exe
PID 1156 wrote to memory of 1060	1156	rundll32.exe	WerFault.exe
PID 1156 wrote to memory of 1060	1156	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\48e98e255cb583b4009558b8ef7206846f4daae4e65422cc9a500c4fcc939e7c.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\48e98e255cb583b4009558b8ef7206846f4daae4e65422cc9a500c4fcc939e7c.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 196
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1060

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1060-1-0x0000000000000000-mapping.dmp

Download
memory/1060-2-0x0000000002250000-0x0000000002261000-memory.dmp

Filesize
68KB

Download
memory/1060-4-0x0000000002720000-0x0000000002731000-memory.dmp

Filesize
68KB

Download
memory/1156-0-0x0000000000000000-mapping.dmp

Download
memory/1156-3-0x0000000000000000-mapping.dmp

Download