e3b348c2a389456f0eba6218875e8827f57cb762b1efd6fbd8158974bd792480 | Triage

Analysis

max time kernel
18s
max time network
124s
platform
windows10_x64
resource
win10v20210410
submitted
21-06-2021 00:02

Sharing

Report Analysis Logs

General

Target

e3b348c2a389456f0eba6218875e8827f57cb762b1efd6fbd8158974bd792480.dll
Size

162KB
MD5

ddbd753ef4e84e284f6417c2b3aa825e
SHA1

814719b470431afb3d73e33ed0d5f37be9b9bbfd
SHA256

e3b348c2a389456f0eba6218875e8827f57cb762b1efd6fbd8158974bd792480
SHA512

2e8ca67d8dbc619505985076372d3fa10718316a5ccb54846b892f3c85d30123a0c7055005feef1ad0733d6b953d4ae1a3b86692181474c6cd1f63b0f3b561e2

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 1420 created 3876 1420 WerFault.exe rundll32.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2304 3876 WerFault.exe rundll32.exe
1420 3876 WerFault.exe rundll32.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

WerFault.exeWerFault.exe

pid	process
2304	WerFault.exe
2304	WerFault.exe
2304	WerFault.exe
2304	WerFault.exe
2304	WerFault.exe
2304	WerFault.exe
2304	WerFault.exe
2304	WerFault.exe
2304	WerFault.exe
2304	WerFault.exe
2304	WerFault.exe
2304	WerFault.exe
2304	WerFault.exe
2304	WerFault.exe
1420	WerFault.exe
1420	WerFault.exe
1420	WerFault.exe
1420	WerFault.exe
1420	WerFault.exe
1420	WerFault.exe
1420	WerFault.exe
1420	WerFault.exe
1420	WerFault.exe
1420	WerFault.exe
1420	WerFault.exe
1420	WerFault.exe
1420	WerFault.exe
1420	WerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

WerFault.exeWerFault.exe

description	pid	process
Token: SeRestorePrivilege	2304	WerFault.exe
Token: SeBackupPrivilege	2304	WerFault.exe
Token: SeDebugPrivilege	2304	WerFault.exe
Token: SeDebugPrivilege	1420	WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3916 wrote to memory of 3876	3916	rundll32.exe	rundll32.exe
PID 3916 wrote to memory of 3876	3916	rundll32.exe	rundll32.exe
PID 3916 wrote to memory of 3876	3916	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e3b348c2a389456f0eba6218875e8827f57cb762b1efd6fbd8158974bd792480.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3916

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e3b348c2a389456f0eba6218875e8827f57cb762b1efd6fbd8158974bd792480.dll,#1
2⤵
PID:3876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 616
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 636
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1420

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3876-114-0x0000000000000000-mapping.dmp

Download