4db103f3bef49c43c766bc563068be45d617e7dd47d338fe592810c2bf04bc2f | Triage

Analysis

max time kernel
13s
max time network
135s
platform
windows10_x64
resource
win10v20210410
submitted
26-07-2021 12:40

Sharing

Report Analysis Logs

General

Target

4db103f3bef49c43c766bc563068be45d617e7dd47d338fe592810c2bf04bc2f.sample.dll
Size

80KB
MD5

340d2d405126ba3e5edc8337a6ddb5b5
SHA1

c83f4535ce3c47fa2edf3d94e2e5b153f757b8f4
SHA256

4db103f3bef49c43c766bc563068be45d617e7dd47d338fe592810c2bf04bc2f
SHA512

180aa77d588bca616ac3a2db235e692006b93b7390948ee18c0aa59a6b1cea9f41f641a84a55df77a5da5788b6df7e9752fb17a242169b0961f8a9799c0f60f6

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2064 592 WerFault.exe rundll32.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
2064	WerFault.exe
2064	WerFault.exe
2064	WerFault.exe
2064	WerFault.exe
2064	WerFault.exe
2064	WerFault.exe
2064	WerFault.exe
2064	WerFault.exe
2064	WerFault.exe
2064	WerFault.exe
2064	WerFault.exe
2064	WerFault.exe
2064	WerFault.exe
2064	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2064 WerFault.exe
Token: SeBackupPrivilege 2064 WerFault.exe
Token: SeDebugPrivilege 2064 WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3408 wrote to memory of 592	3408	rundll32.exe	rundll32.exe
PID 3408 wrote to memory of 592	3408	rundll32.exe	rundll32.exe
PID 3408 wrote to memory of 592	3408	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4db103f3bef49c43c766bc563068be45d617e7dd47d338fe592810c2bf04bc2f.sample.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3408

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4db103f3bef49c43c766bc563068be45d617e7dd47d338fe592810c2bf04bc2f.sample.dll,#1
2⤵
PID:592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 592 -s 632
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2064

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/592-114-0x0000000000000000-mapping.dmp

Download