9ec7c3dd7e1c934b7dac687b7ff8b080ed594a9ba41ab83c63d7c2c83577dd1f | Triage

Analysis

max time kernel
26s
max time network
117s
platform
windows10_x64
resource
win10v20210408
submitted
11-06-2021 00:46

Sharing

Report Analysis Logs

General

Target

9ec7c3dd7e1c934b7dac687b7ff8b080ed594a9ba41ab83c63d7c2c83577dd1f.dll
Size

162KB
MD5

ad92991f47fea1353f57c380cca46683
SHA1

f128f6787bbe1e5bb80d4a14846ccbf2b3be65ee
SHA256

9ec7c3dd7e1c934b7dac687b7ff8b080ed594a9ba41ab83c63d7c2c83577dd1f
SHA512

bc35b5215615d9de33df63ad7ecb00cbb4617981adebcaf8a48bfc66cc2537c0a57ca80a6f66790febe359c0370134bdecac5fae58bd607278e069479d0ab6cb

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 1332 created 1232 1332 WerFault.exe rundll32.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2020 1232 WerFault.exe rundll32.exe
1332 1232 WerFault.exe rundll32.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

WerFault.exeWerFault.exe

pid	process
2020	WerFault.exe
2020	WerFault.exe
2020	WerFault.exe
2020	WerFault.exe
2020	WerFault.exe
2020	WerFault.exe
2020	WerFault.exe
2020	WerFault.exe
2020	WerFault.exe
2020	WerFault.exe
2020	WerFault.exe
2020	WerFault.exe
2020	WerFault.exe
2020	WerFault.exe
1332	WerFault.exe
1332	WerFault.exe
1332	WerFault.exe
1332	WerFault.exe
1332	WerFault.exe
1332	WerFault.exe
1332	WerFault.exe
1332	WerFault.exe
1332	WerFault.exe
1332	WerFault.exe
1332	WerFault.exe
1332	WerFault.exe
1332	WerFault.exe
1332	WerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

WerFault.exeWerFault.exe

description	pid	process
Token: SeRestorePrivilege	2020	WerFault.exe
Token: SeBackupPrivilege	2020	WerFault.exe
Token: SeDebugPrivilege	2020	WerFault.exe
Token: SeDebugPrivilege	1332	WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 64 wrote to memory of 1232	64	rundll32.exe	rundll32.exe
PID 64 wrote to memory of 1232	64	rundll32.exe	rundll32.exe
PID 64 wrote to memory of 1232	64	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9ec7c3dd7e1c934b7dac687b7ff8b080ed594a9ba41ab83c63d7c2c83577dd1f.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:64

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9ec7c3dd7e1c934b7dac687b7ff8b080ed594a9ba41ab83c63d7c2c83577dd1f.dll,#1
2⤵
PID:1232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 616
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 632
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1332

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1232-114-0x0000000000000000-mapping.dmp

Download