189080f597580fb7d4672022a3307a689318142cf133cc5552082509484c25ca.sample

General
Target

189080f597580fb7d4672022a3307a689318142cf133cc5552082509484c25ca.sample.dll

Filesize

76KB

Completed

26-07-2021 12:50

Score
3/10
MD5

481bb895c8b953b598719262328ccd12

SHA1

99d3504e713f3ae31eee340fca81a250f4f805dd

SHA256

189080f597580fb7d4672022a3307a689318142cf133cc5552082509484c25ca

Malware Config
Signatures 4

Filter: none

  • Program crash
    WerFault.exe

    Reported IOCs

    pidpid_targetprocesstarget process
    4020808WerFault.exerundll32.exe
  • Suspicious behavior: EnumeratesProcesses
    WerFault.exe

    Reported IOCs

    pidprocess
    4020WerFault.exe
    4020WerFault.exe
    4020WerFault.exe
    4020WerFault.exe
    4020WerFault.exe
    4020WerFault.exe
    4020WerFault.exe
    4020WerFault.exe
    4020WerFault.exe
    4020WerFault.exe
    4020WerFault.exe
    4020WerFault.exe
    4020WerFault.exe
    4020WerFault.exe
  • Suspicious use of AdjustPrivilegeToken
    WerFault.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeRestorePrivilege4020WerFault.exe
    Token: SeBackupPrivilege4020WerFault.exe
    Token: SeDebugPrivilege4020WerFault.exe
  • Suspicious use of WriteProcessMemory
    rundll32.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1852 wrote to memory of 8081852rundll32.exerundll32.exe
    PID 1852 wrote to memory of 8081852rundll32.exerundll32.exe
    PID 1852 wrote to memory of 8081852rundll32.exerundll32.exe
Processes 3
  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\189080f597580fb7d4672022a3307a689318142cf133cc5552082509484c25ca.sample.dll,#1
    Suspicious use of WriteProcessMemory
    PID:1852
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\189080f597580fb7d4672022a3307a689318142cf133cc5552082509484c25ca.sample.dll,#1
      PID:808
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 808 -s 636
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        PID:4020
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads
                          • memory/808-114-0x0000000000000000-mapping.dmp