f088bd9d0f62a5063fc8ac48da70d4255651f67d4eb026952e665820fd10fc02 | Triage

Analysis

max time kernel
18s
max time network
113s
platform
windows10_x64
resource
win10v20210410
submitted
20-06-2021 22:02

Sharing

Report Analysis Logs

General

Target

f088bd9d0f62a5063fc8ac48da70d4255651f67d4eb026952e665820fd10fc02.dll
Size

162KB
MD5

53d7825bfc59b2876ff730be923b0f22
SHA1

b17f53f1fc3d0b79452ef381351555436ae3c107
SHA256

f088bd9d0f62a5063fc8ac48da70d4255651f67d4eb026952e665820fd10fc02
SHA512

c63ce781ce37491608ce3e8075fabc9f6067182b03217f1fa7ec982293d8fdca2e670e3d8aacbf5d8dede800b407fb04aace418dd4aa79194cca91d0a83c8aca

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 2592 created 3192 2592 WerFault.exe rundll32.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3376 3192 WerFault.exe rundll32.exe
2592 3192 WerFault.exe rundll32.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

WerFault.exeWerFault.exe

pid	process
3376	WerFault.exe
3376	WerFault.exe
3376	WerFault.exe
3376	WerFault.exe
3376	WerFault.exe
3376	WerFault.exe
3376	WerFault.exe
3376	WerFault.exe
3376	WerFault.exe
3376	WerFault.exe
3376	WerFault.exe
3376	WerFault.exe
3376	WerFault.exe
3376	WerFault.exe
2592	WerFault.exe
2592	WerFault.exe
2592	WerFault.exe
2592	WerFault.exe
2592	WerFault.exe
2592	WerFault.exe
2592	WerFault.exe
2592	WerFault.exe
2592	WerFault.exe
2592	WerFault.exe
2592	WerFault.exe
2592	WerFault.exe
2592	WerFault.exe
2592	WerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

WerFault.exeWerFault.exe

description	pid	process
Token: SeRestorePrivilege	3376	WerFault.exe
Token: SeBackupPrivilege	3376	WerFault.exe
Token: SeDebugPrivilege	3376	WerFault.exe
Token: SeDebugPrivilege	2592	WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2576 wrote to memory of 3192	2576	rundll32.exe	rundll32.exe
PID 2576 wrote to memory of 3192	2576	rundll32.exe	rundll32.exe
PID 2576 wrote to memory of 3192	2576	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f088bd9d0f62a5063fc8ac48da70d4255651f67d4eb026952e665820fd10fc02.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2576

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f088bd9d0f62a5063fc8ac48da70d4255651f67d4eb026952e665820fd10fc02.dll,#1
2⤵
PID:3192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 616
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 620
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2592

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3192-114-0x0000000000000000-mapping.dmp

Download