57c0d780e0e67485183d1d4319858244d58555effc7b4e5eb73b6d86e9c6a9d1 | Triage

Analysis

max time kernel
3s
max time network
8s
platform
windows7_x64
resource
win7v20201028
submitted
12-11-2020 13:58

Sharing

Report Analysis Logs

General

Target

57c0d780e0e67485183d1d4319858244d58555effc7b4e5eb73b6d86e9c6a9d1.dll
Size

254KB
MD5

76828770db6f9633f3fbefe6d61d0df8
SHA1

7259970e1240dfb42ab54b0aa9f2cc25be3be535
SHA256

57c0d780e0e67485183d1d4319858244d58555effc7b4e5eb73b6d86e9c6a9d1
SHA512

d7452471e92bbc8330f34b61f05fe31fa32da5fa2421fc122c3e30fecd3c1105b911c6158aebe334ed371976e8f06afc643d272d90031a7ceee0c8aa3dcf9604

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1920 848 WerFault.exe rundll32.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

1920 WerFault.exe
1920 WerFault.exe
1920 WerFault.exe
1920 WerFault.exe
1920 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1920 WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 848 wrote to memory of 1920	848	rundll32.exe	WerFault.exe
PID 848 wrote to memory of 1920	848	rundll32.exe	WerFault.exe
PID 848 wrote to memory of 1920	848	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\57c0d780e0e67485183d1d4319858244d58555effc7b4e5eb73b6d86e9c6a9d1.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:848

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 848 -s 108
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1920

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1920-0-0x0000000000000000-mapping.dmp

Download
memory/1920-1-0x0000000001DB0000-0x0000000001DC1000-memory.dmp

Filesize
68KB

Download
memory/1920-2-0x00000000026E0000-0x00000000026F1000-memory.dmp

Filesize
68KB

Download