c1c64277c182c6ff91f51720b562b92e40beb7622459bec21a48c16d40650414 | Triage

Analysis

max time kernel
12s
max time network
115s
platform
windows10_x64
resource
win10v20201028
submitted
12-11-2020 14:07

Sharing

Report Analysis Logs

General

Target

c1c64277c182c6ff91f51720b562b92e40beb7622459bec21a48c16d40650414.dll
Size

256KB
MD5

195b92ab2e9b2ff98c42b764331c5619
SHA1

4cbde98fc024a4e4930f7558883403216d939569
SHA256

c1c64277c182c6ff91f51720b562b92e40beb7622459bec21a48c16d40650414
SHA512

0e8686f99ac03733cbd32b0286526f8302583ae1c1a3d55c80bfd84a8d82857b55061363e31ab6862decd10e51b1931e578dd7cefd633ec4d884c6af224a6be5

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4916 4644 WerFault.exe rundll32.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
4916	WerFault.exe
4916	WerFault.exe
4916	WerFault.exe
4916	WerFault.exe
4916	WerFault.exe
4916	WerFault.exe
4916	WerFault.exe
4916	WerFault.exe
4916	WerFault.exe
4916	WerFault.exe
4916	WerFault.exe
4916	WerFault.exe
4916	WerFault.exe
4916	WerFault.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 4916 WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c1c64277c182c6ff91f51720b562b92e40beb7622459bec21a48c16d40650414.dll,#1
1⤵
PID:4644

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4644 -s 292
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4916

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4916-0-0x000001F296B30000-0x000001F296B31000-memory.dmp

Filesize
4KB

Download
memory/4916-1-0x000001F2979A0000-0x000001F2979A1000-memory.dmp

Filesize
4KB

Download
memory/4916-2-0x000001F2979A0000-0x000001F2979A1000-memory.dmp

Filesize
4KB

Download