c2b418a45a024ba768abafe9948f3b35bdd7d4d2b4b2648414e5c05cc3ac7580 | Triage

Analysis

max time kernel
49s
max time network
59s
platform
windows10_x64
resource
win10v20210408
submitted
04-05-2021 15:38

Sharing

Report Analysis Logs

General

Target

c2b418a45a024ba768abafe9948f3b35bdd7d4d2b4b2648414e5c05cc3ac7580.dll
Size

162KB
MD5

26894c7f4eac0bc7dab98c042e61cc43
SHA1

510b5714cb078c99491a9945e193b8b713097f62
SHA256

c2b418a45a024ba768abafe9948f3b35bdd7d4d2b4b2648414e5c05cc3ac7580
SHA512

94d5fb93b3f0be22513995729fb80887c5e0a3ddeae1a2b47825571d50d344fd41b38caa0e4354ac24d8404e1e535e3c4ad23493da0884a235c1a22b1e26c056

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2352 3720 WerFault.exe rundll32.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2352 WerFault.exe
Token: SeBackupPrivilege 2352 WerFault.exe
Token: SeDebugPrivilege 2352 WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3920 wrote to memory of 3720	3920	rundll32.exe	rundll32.exe
PID 3920 wrote to memory of 3720	3920	rundll32.exe	rundll32.exe
PID 3920 wrote to memory of 3720	3920	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c2b418a45a024ba768abafe9948f3b35bdd7d4d2b4b2648414e5c05cc3ac7580.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3920

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c2b418a45a024ba768abafe9948f3b35bdd7d4d2b4b2648414e5c05cc3ac7580.dll,#1
2⤵
PID:3720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 628
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2352

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3720-114-0x0000000000000000-mapping.dmp

Download