24664c11778ac8e24496f50e8428a1ba88efb9e5459d2ab42237ce0801471f45 | Triage

Analysis

max time kernel
22s
max time network
25s
platform
windows7_x64
resource
win7v20201028
submitted
15-11-2020 22:38

Sharing

Report Analysis Logs

General

Target

24664c11778ac8e24496f50e8428a1ba88efb9e5459d2ab42237ce0801471f45.dll
Size

304KB
MD5

c083bdae59044dd8587025696b5bd146
SHA1

9d8f7d44c58de10c5fa0e3d9476b52f732e29d4a
SHA256

24664c11778ac8e24496f50e8428a1ba88efb9e5459d2ab42237ce0801471f45
SHA512

bd2c37cff833b25be3e521da47709949182e8e0dcf0e1ce19fdaba828916a3112bc130ad5df0cfc652d590cd73b2bc042e1337b4eb41af18231bae190716a87f

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1440 1080 WerFault.exe rundll32.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

WerFault.exe

pid process

1440 WerFault.exe
1440 WerFault.exe
1440 WerFault.exe
1440 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1440 WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1080 wrote to memory of 1440	1080	rundll32.exe	WerFault.exe
PID 1080 wrote to memory of 1440	1080	rundll32.exe	WerFault.exe
PID 1080 wrote to memory of 1440	1080	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\24664c11778ac8e24496f50e8428a1ba88efb9e5459d2ab42237ce0801471f45.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1080 -s 56
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1440

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1440-0-0x0000000000000000-mapping.dmp

Download
memory/1440-1-0x0000000001D90000-0x0000000001DA1000-memory.dmp

Filesize
68KB

Download
memory/1440-2-0x0000000002770000-0x0000000002781000-memory.dmp

Filesize
68KB

Download