c1c64277c182c6ff91f51720b562b92e40beb7622459bec21a48c16d40650414 | Triage

Analysis

max time kernel
100s
max time network
102s
platform
windows7_x64
resource
win7v20201028
submitted
12-11-2020 14:07

Sharing

Report Analysis Logs

General

Target

c1c64277c182c6ff91f51720b562b92e40beb7622459bec21a48c16d40650414.dll
Size

256KB
MD5

195b92ab2e9b2ff98c42b764331c5619
SHA1

4cbde98fc024a4e4930f7558883403216d939569
SHA256

c1c64277c182c6ff91f51720b562b92e40beb7622459bec21a48c16d40650414
SHA512

0e8686f99ac03733cbd32b0286526f8302583ae1c1a3d55c80bfd84a8d82857b55061363e31ab6862decd10e51b1931e578dd7cefd633ec4d884c6af224a6be5

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1832 684 WerFault.exe rundll32.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

WerFault.exe

pid process

1832 WerFault.exe
1832 WerFault.exe
1832 WerFault.exe
1832 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1832 WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 684 wrote to memory of 1832	684	rundll32.exe	WerFault.exe
PID 684 wrote to memory of 1832	684	rundll32.exe	WerFault.exe
PID 684 wrote to memory of 1832	684	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c1c64277c182c6ff91f51720b562b92e40beb7622459bec21a48c16d40650414.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:684

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 684 -s 108
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1832

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1832-0-0x0000000000000000-mapping.dmp

Download
memory/1832-1-0x0000000001EA0000-0x0000000001EB1000-memory.dmp

Filesize
68KB

Download
memory/1832-2-0x0000000002810000-0x0000000002821000-memory.dmp

Filesize
68KB

Download