6cc5485429c11fc78dc0cea7c7c8c70012baafa62b30284695c522270df5421c | Triage

Analysis

max time kernel
19s
max time network
126s
platform
windows10_x64
resource
win10v20210410
submitted
20-06-2021 23:02

Sharing

Report Analysis Logs

General

Target

6cc5485429c11fc78dc0cea7c7c8c70012baafa62b30284695c522270df5421c.dll
Size

162KB
MD5

117db81cc53dfb35eb967e9e7d15de5e
SHA1

3ec4986186dbf359831c7214e04992929a1d9baa
SHA256

6cc5485429c11fc78dc0cea7c7c8c70012baafa62b30284695c522270df5421c
SHA512

6d05f30381896223fc51c582e2aff3f7c75d410e1af57eb3d05f4fec6a429c0a8b4cc51b2590e60ecbd7620b3c0601b99efdd3777f735414ff9a57b6b5209f64

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 3476 created 400 3476 WerFault.exe rundll32.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4076 400 WerFault.exe rundll32.exe
3476 400 WerFault.exe rundll32.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

WerFault.exeWerFault.exe

pid	process
4076	WerFault.exe
4076	WerFault.exe
4076	WerFault.exe
4076	WerFault.exe
4076	WerFault.exe
4076	WerFault.exe
4076	WerFault.exe
4076	WerFault.exe
4076	WerFault.exe
4076	WerFault.exe
4076	WerFault.exe
4076	WerFault.exe
4076	WerFault.exe
4076	WerFault.exe
3476	WerFault.exe
3476	WerFault.exe
3476	WerFault.exe
3476	WerFault.exe
3476	WerFault.exe
3476	WerFault.exe
3476	WerFault.exe
3476	WerFault.exe
3476	WerFault.exe
3476	WerFault.exe
3476	WerFault.exe
3476	WerFault.exe
3476	WerFault.exe
3476	WerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

WerFault.exeWerFault.exe

description	pid	process
Token: SeRestorePrivilege	4076	WerFault.exe
Token: SeBackupPrivilege	4076	WerFault.exe
Token: SeDebugPrivilege	4076	WerFault.exe
Token: SeDebugPrivilege	3476	WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3944 wrote to memory of 400	3944	rundll32.exe	rundll32.exe
PID 3944 wrote to memory of 400	3944	rundll32.exe	rundll32.exe
PID 3944 wrote to memory of 400	3944	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6cc5485429c11fc78dc0cea7c7c8c70012baafa62b30284695c522270df5421c.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3944

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6cc5485429c11fc78dc0cea7c7c8c70012baafa62b30284695c522270df5421c.dll,#1
2⤵
PID:400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 620
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 588
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3476

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/400-114-0x0000000000000000-mapping.dmp

Download