e446b4ca910c3ff3b3add0fb35b3120385d880f7cf02ca21ba872e1d57eb39dd | Triage

Analysis

max time kernel
13s
max time network
114s
platform
windows10_x64
resource
win10v20210410
submitted
10-07-2021 10:37

Sharing

Report Analysis Logs

General

Target

e446b4ca910c3ff3b3add0fb35b3120385d880f7cf02ca21ba872e1d57eb39dd.bin.sample.dll
Size

8.3MB
MD5

cf903aa75574ea4b1be9c96a027203d3
SHA1

b9c5441919d9a247aa7449b354bb8c100665d23e
SHA256

e446b4ca910c3ff3b3add0fb35b3120385d880f7cf02ca21ba872e1d57eb39dd
SHA512

152dbd473d2277a95ec79a3d57f047ec8026617efc0117ad82d20102ca6a45c8ebb1a237fb0b0c0a40d5dee10c5f240cf946de73cdd11a523138270bad891b1f

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1860 3212 WerFault.exe rundll32.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
1860	WerFault.exe
1860	WerFault.exe
1860	WerFault.exe
1860	WerFault.exe
1860	WerFault.exe
1860	WerFault.exe
1860	WerFault.exe
1860	WerFault.exe
1860	WerFault.exe
1860	WerFault.exe
1860	WerFault.exe
1860	WerFault.exe
1860	WerFault.exe
1860	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 1860 WerFault.exe
Token: SeBackupPrivilege 1860 WerFault.exe
Token: SeDebugPrivilege 1860 WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1852 wrote to memory of 3212	1852	rundll32.exe	rundll32.exe
PID 1852 wrote to memory of 3212	1852	rundll32.exe	rundll32.exe
PID 1852 wrote to memory of 3212	1852	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e446b4ca910c3ff3b3add0fb35b3120385d880f7cf02ca21ba872e1d57eb39dd.bin.sample.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1852

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e446b4ca910c3ff3b3add0fb35b3120385d880f7cf02ca21ba872e1d57eb39dd.bin.sample.dll,#1
2⤵
PID:3212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 596
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1860

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3212-114-0x0000000000000000-mapping.dmp

Download