99ca4d78c14cfd9f6fe13b48182edf366400ea74aa712edeb780b90acf15d993 | Triage

Analysis

max time kernel
581s
max time network
591s
platform
windows10_x64
resource
win10v20210410
submitted
22-07-2021 15:42

Sharing

Report Analysis Logs

General

Target

99ca4d78c14cfd9f6fe13b48182edf366400ea74aa712edeb780b90acf15d993.dll
Size

230KB
MD5

6d5348e093b99e3c50b32a2af135cca6
SHA1

f87edb62046f84f8efb9f54b738850fc538c8f4c
SHA256

99ca4d78c14cfd9f6fe13b48182edf366400ea74aa712edeb780b90acf15d993
SHA512

5b9198e6f6780cb67167da8d013f353f38e596664b58d239e155178b37355aea68b0c1416c15d50184c2216a72521c360545de61c71e6631b983f2478a00d183

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2596 816 WerFault.exe regsvr32.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

regsvr32.exeWerFault.exe

pid	process
816	regsvr32.exe
816	regsvr32.exe
2596	WerFault.exe
2596	WerFault.exe
2596	WerFault.exe
2596	WerFault.exe
2596	WerFault.exe
2596	WerFault.exe
2596	WerFault.exe
2596	WerFault.exe
2596	WerFault.exe
2596	WerFault.exe
2596	WerFault.exe
2596	WerFault.exe
2596	WerFault.exe
2596	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2596 WerFault.exe
Token: SeBackupPrivilege 2596 WerFault.exe
Token: SeDebugPrivilege 2596 WerFault.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 1496 wrote to memory of 816	1496	regsvr32.exe	regsvr32.exe
PID 1496 wrote to memory of 816	1496	regsvr32.exe	regsvr32.exe
PID 1496 wrote to memory of 816	1496	regsvr32.exe	regsvr32.exe
PID 816 wrote to memory of 2888	816	regsvr32.exe	explorer.exe
PID 816 wrote to memory of 2888	816	regsvr32.exe	explorer.exe
PID 816 wrote to memory of 2888	816	regsvr32.exe	explorer.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\99ca4d78c14cfd9f6fe13b48182edf366400ea74aa712edeb780b90acf15d993.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\99ca4d78c14cfd9f6fe13b48182edf366400ea74aa712edeb780b90acf15d993.dll
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:816

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
PID:2888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 764
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2596

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/816-114-0x0000000000000000-mapping.dmp

Download