0bb797aef9711d46a54f363b0d28211337605db7d84b079e91cae672f7a981d4 | Triage

Resubmissions

29-06-2021 06:23

210629-67r8eb77n2 10

29-06-2021 02:20

210629-pwaz9kaesn 10

Analysis

max time kernel
12s
max time network
115s
platform
windows10_x64
resource
win10v20210410
submitted
29-06-2021 02:20

Sharing

Report Analysis Logs

General

Target

winSelBefore.jpg.dll
Size

3.0MB
MD5

3338255935766fef84a53e2aaaac6d34
SHA1

625bfb066ef13e19a59f6559cb3a1f42aba58d2b
SHA256

0bb797aef9711d46a54f363b0d28211337605db7d84b079e91cae672f7a981d4
SHA512

0c7b274ecea5a394721a689de68e0560afece27703b76db5839dcf830fd0e3ff2a1e730edd59d8121b02671283b4fd06ad345b781e854a0c3a63b84b7f064f40

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

204 900 WerFault.exe regsvr32.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
204	WerFault.exe
204	WerFault.exe
204	WerFault.exe
204	WerFault.exe
204	WerFault.exe
204	WerFault.exe
204	WerFault.exe
204	WerFault.exe
204	WerFault.exe
204	WerFault.exe
204	WerFault.exe
204	WerFault.exe
204	WerFault.exe
204	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 204 WerFault.exe
Token: SeBackupPrivilege 204 WerFault.exe
Token: SeDebugPrivilege 204 WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 3944 wrote to memory of 900	3944	regsvr32.exe	regsvr32.exe
PID 3944 wrote to memory of 900	3944	regsvr32.exe	regsvr32.exe
PID 3944 wrote to memory of 900	3944	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\winSelBefore.jpg.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:3944

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\winSelBefore.jpg.dll
2⤵
PID:900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 628
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:204

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/900-114-0x0000000000000000-mapping.dmp

Download
memory/900-115-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/900-116-0x0000000000A30000-0x0000000000A73000-memory.dmp

Filesize
268KB

Download