57c99a4a83e155dd9503fc578670e9dc67aa25811988648c7790f1157c9a5271 | Triage

Resubmissions

12-04-2021 13:42

210412-wmaks43hlj 10

12-04-2021 13:34

210412-k74rvn6b6s 7

Analysis

max time kernel
96s
max time network
135s
platform
windows10_x64
resource
win10v20210408
submitted
12-04-2021 13:34

Sharing

Report Analysis Logs

General

Target

output.dll
Size

1.4MB
MD5

2688406bd73347d21e7ede2a7bbfaeab
SHA1

0df05dc29da8c921ed2db6e0ac725108ce9978e6
SHA256

57c99a4a83e155dd9503fc578670e9dc67aa25811988648c7790f1157c9a5271
SHA512

03fa90508f796a9cad3a6485c54bb98655469ec48f1062977d3e351147295fe79d27a2397ed50ef013d3d98b2014263bcdbd4abe3de8c04d055058f5688c9740

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2220 1196 WerFault.exe rundll32.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

rundll32.exeWerFault.exe

pid	process
1196	rundll32.exe
1196	rundll32.exe
2220	WerFault.exe
2220	WerFault.exe
2220	WerFault.exe
2220	WerFault.exe
2220	WerFault.exe
2220	WerFault.exe
2220	WerFault.exe
2220	WerFault.exe
2220	WerFault.exe
2220	WerFault.exe
2220	WerFault.exe
2220	WerFault.exe
2220	WerFault.exe
2220	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2220 WerFault.exe
Token: SeBackupPrivilege 2220 WerFault.exe
Token: SeDebugPrivilege 2220 WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 904 wrote to memory of 1196	904	rundll32.exe	rundll32.exe
PID 904 wrote to memory of 1196	904	rundll32.exe	rundll32.exe
PID 904 wrote to memory of 1196	904	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\output.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:904

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\output.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 804
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2220

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1196-114-0x0000000000000000-mapping.dmp

Download
memory/1196-115-0x0000000000AE0000-0x0000000000C4C000-memory.dmp

Filesize
1.4MB

Download
memory/1196-116-0x00000000004C0000-0x00000000004C1000-memory.dmp

Filesize
4KB

Download
memory/1196-117-0x00000000004E0000-0x000000000062A000-memory.dmp

Filesize
1.3MB

Download
memory/1196-118-0x0000000000C50000-0x0000000000C69000-memory.dmp

Filesize
100KB

Download