e492f30eb8a94e28e6658442388ab68bb002090a2cc040b32991d030f7934db4 | Triage

Analysis

max time kernel
18s
max time network
115s
platform
windows10_x64
resource
win10v20210410
submitted
11-06-2021 03:03

Sharing

Report Analysis Logs

General

Target

e492f30eb8a94e28e6658442388ab68bb002090a2cc040b32991d030f7934db4.dll
Size

162KB
MD5

984659f72b2471de93d4f933a838a3d1
SHA1

85d0017e3f6e527c1cfffdc6a4effbddb928c9b8
SHA256

e492f30eb8a94e28e6658442388ab68bb002090a2cc040b32991d030f7934db4
SHA512

3d08d792ccd85e702a2e001f9b42e54a4e76a4a42faa4236cd42b6c47be9f08f816fcb2f72db21b1d000549a326d864e2e6be2a3bb2d3c62aaef5d7816fad8ae

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 2120 created 3156 2120 WerFault.exe rundll32.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3176 3156 WerFault.exe rundll32.exe
2120 3156 WerFault.exe rundll32.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

WerFault.exeWerFault.exe

pid	process
3176	WerFault.exe
3176	WerFault.exe
3176	WerFault.exe
3176	WerFault.exe
3176	WerFault.exe
3176	WerFault.exe
3176	WerFault.exe
3176	WerFault.exe
3176	WerFault.exe
3176	WerFault.exe
3176	WerFault.exe
3176	WerFault.exe
3176	WerFault.exe
3176	WerFault.exe
2120	WerFault.exe
2120	WerFault.exe
2120	WerFault.exe
2120	WerFault.exe
2120	WerFault.exe
2120	WerFault.exe
2120	WerFault.exe
2120	WerFault.exe
2120	WerFault.exe
2120	WerFault.exe
2120	WerFault.exe
2120	WerFault.exe
2120	WerFault.exe
2120	WerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

WerFault.exeWerFault.exe

description	pid	process
Token: SeRestorePrivilege	3176	WerFault.exe
Token: SeBackupPrivilege	3176	WerFault.exe
Token: SeDebugPrivilege	3176	WerFault.exe
Token: SeDebugPrivilege	2120	WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2680 wrote to memory of 3156	2680	rundll32.exe	rundll32.exe
PID 2680 wrote to memory of 3156	2680	rundll32.exe	rundll32.exe
PID 2680 wrote to memory of 3156	2680	rundll32.exe	rundll32.exe

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e492f30eb8a94e28e6658442388ab68bb002090a2cc040b32991d030f7934db4.dll,#1
1⤵
PID:3156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 616
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 632
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e492f30eb8a94e28e6658442388ab68bb002090a2cc040b32991d030f7934db4.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2680

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3156-114-0x0000000000000000-mapping.dmp

Download