bd0ef776f8a1ff7b774b2f003d9cac80de436bcfb878b8e6c105f171f3a5e84b | Triage

Analysis

max time kernel
10s
max time network
15s
platform
windows7_x64
resource
win7v20201028
submitted
15-11-2020 22:37

Sharing

Report Analysis Logs

General

Target

bd0ef776f8a1ff7b774b2f003d9cac80de436bcfb878b8e6c105f171f3a5e84b.dll
Size

244KB
MD5

4a6ac9379a35b32c84605043a56e62c3
SHA1

a0a2639be7f2e36b7e3ce7f426c9789041321d86
SHA256

bd0ef776f8a1ff7b774b2f003d9cac80de436bcfb878b8e6c105f171f3a5e84b
SHA512

ca9d9efb779878c64299c63f9a68899c035d18e5a45273d7971a664eac95ce7034a9b1d654e4cb804cbb3da77ee140cb31d421841310d47f30a382a61244cfcb

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1808 1844 WerFault.exe rundll32.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

WerFault.exe

pid process

1808 WerFault.exe
1808 WerFault.exe
1808 WerFault.exe
1808 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1808 WerFault.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1004 wrote to memory of 1844	1004	rundll32.exe	rundll32.exe
PID 1004 wrote to memory of 1844	1004	rundll32.exe	rundll32.exe
PID 1004 wrote to memory of 1844	1004	rundll32.exe	rundll32.exe
PID 1004 wrote to memory of 1844	1004	rundll32.exe	rundll32.exe
PID 1004 wrote to memory of 1844	1004	rundll32.exe	rundll32.exe
PID 1004 wrote to memory of 1844	1004	rundll32.exe	rundll32.exe
PID 1004 wrote to memory of 1844	1004	rundll32.exe	rundll32.exe
PID 1844 wrote to memory of 1808	1844	rundll32.exe	WerFault.exe
PID 1844 wrote to memory of 1808	1844	rundll32.exe	WerFault.exe
PID 1844 wrote to memory of 1808	1844	rundll32.exe	WerFault.exe
PID 1844 wrote to memory of 1808	1844	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bd0ef776f8a1ff7b774b2f003d9cac80de436bcfb878b8e6c105f171f3a5e84b.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1004

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bd0ef776f8a1ff7b774b2f003d9cac80de436bcfb878b8e6c105f171f3a5e84b.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 196
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1808

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1808-1-0x0000000000000000-mapping.dmp

Download
memory/1808-2-0x0000000001F00000-0x0000000001F11000-memory.dmp

Filesize
68KB

Download
memory/1808-4-0x00000000024F0000-0x0000000002501000-memory.dmp

Filesize
68KB

Download
memory/1844-0-0x0000000000000000-mapping.dmp

Download
memory/1844-3-0x0000000000000000-mapping.dmp

Download