557772effd7149653c391055a2bd4d12eb2588255fbb0b66112958554e6579ff | Triage

Analysis

max time kernel
4s
max time network
11s
platform
windows7_x64
resource
win7v20201028
submitted
13-12-2020 08:32

Sharing

Report Analysis Logs

General

Target

368b791d4fb7342d10d298e4445aa624.dll
Size

199KB
MD5

368b791d4fb7342d10d298e4445aa624
SHA1

288ea4542bb8b758c0b13d54deb36b00c287f032
SHA256

557772effd7149653c391055a2bd4d12eb2588255fbb0b66112958554e6579ff
SHA512

486368d60e0d49906d55d7b8101b2df7ea791e4644cefb1d9c2618ab78bf9db717fbc0cbcfa7d5585102b25467224ea29765c3cf002cabd72ae814370de7eac1

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1484 1904 WerFault.exe rundll32.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

WerFault.exe

pid process

1484 WerFault.exe
1484 WerFault.exe
1484 WerFault.exe
1484 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1484 WerFault.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 740 wrote to memory of 1904	740	rundll32.exe	rundll32.exe
PID 740 wrote to memory of 1904	740	rundll32.exe	rundll32.exe
PID 740 wrote to memory of 1904	740	rundll32.exe	rundll32.exe
PID 740 wrote to memory of 1904	740	rundll32.exe	rundll32.exe
PID 740 wrote to memory of 1904	740	rundll32.exe	rundll32.exe
PID 740 wrote to memory of 1904	740	rundll32.exe	rundll32.exe
PID 740 wrote to memory of 1904	740	rundll32.exe	rundll32.exe
PID 1904 wrote to memory of 1484	1904	rundll32.exe	WerFault.exe
PID 1904 wrote to memory of 1484	1904	rundll32.exe	WerFault.exe
PID 1904 wrote to memory of 1484	1904	rundll32.exe	WerFault.exe
PID 1904 wrote to memory of 1484	1904	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\368b791d4fb7342d10d298e4445aa624.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:740

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\368b791d4fb7342d10d298e4445aa624.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 244
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1484

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1484-3-0x0000000000000000-mapping.dmp

Download
memory/1484-4-0x00000000021D0000-0x00000000021E1000-memory.dmp

Filesize
68KB

Download
memory/1484-6-0x00000000028B0000-0x00000000028C1000-memory.dmp

Filesize
68KB

Download
memory/1904-2-0x0000000000000000-mapping.dmp

Download
memory/1904-5-0x0000000000000000-mapping.dmp

Download