831de5418e6c3169039e605216198023ba6d461f376309d1299840926ac57ff6 | Triage

Analysis

max time kernel
26s
max time network
112s
platform
windows10_x64
resource
win10v20210408
submitted
21-06-2021 01:02

Sharing

Report Analysis Logs

General

Target

831de5418e6c3169039e605216198023ba6d461f376309d1299840926ac57ff6.dll
Size

162KB
MD5

a4f3a6f39c608def79563d186c17c97e
SHA1

71e11ce28337a3027d0ea9cb6e40527e6fce1f5a
SHA256

831de5418e6c3169039e605216198023ba6d461f376309d1299840926ac57ff6
SHA512

739ff3dcafd7303d9c8d32f5beb55ef1bda0d918478681f06a68934cf796d348243ed0fce11d56552f3376b2dbdaf6403ca20232bc0dd4065906792e492a5dfd

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 1996 created 784 1996 WerFault.exe rundll32.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4032 784 WerFault.exe rundll32.exe
1996 784 WerFault.exe rundll32.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

WerFault.exeWerFault.exe

pid	process
4032	WerFault.exe
4032	WerFault.exe
4032	WerFault.exe
4032	WerFault.exe
4032	WerFault.exe
4032	WerFault.exe
4032	WerFault.exe
4032	WerFault.exe
4032	WerFault.exe
4032	WerFault.exe
4032	WerFault.exe
4032	WerFault.exe
4032	WerFault.exe
4032	WerFault.exe
1996	WerFault.exe
1996	WerFault.exe
1996	WerFault.exe
1996	WerFault.exe
1996	WerFault.exe
1996	WerFault.exe
1996	WerFault.exe
1996	WerFault.exe
1996	WerFault.exe
1996	WerFault.exe
1996	WerFault.exe
1996	WerFault.exe
1996	WerFault.exe
1996	WerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

WerFault.exeWerFault.exe

description	pid	process
Token: SeRestorePrivilege	4032	WerFault.exe
Token: SeBackupPrivilege	4032	WerFault.exe
Token: SeDebugPrivilege	4032	WerFault.exe
Token: SeDebugPrivilege	1996	WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3716 wrote to memory of 784	3716	rundll32.exe	rundll32.exe
PID 3716 wrote to memory of 784	3716	rundll32.exe	rundll32.exe
PID 3716 wrote to memory of 784	3716	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\831de5418e6c3169039e605216198023ba6d461f376309d1299840926ac57ff6.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3716

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\831de5418e6c3169039e605216198023ba6d461f376309d1299840926ac57ff6.dll,#1
2⤵
PID:784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 620
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 636
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1996

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/784-114-0x0000000000000000-mapping.dmp

Download