690c488a9902978f2ef05aa23d21f4fa30a52dd9d11191f9b49667cd08618d87.bin

General
Target

690c488a9902978f2ef05aa23d21f4fa30a52dd9d11191f9b49667cd08618d87.bin.dll

Filesize

34KB

Completed

27-07-2021 22:13

Score
3 /10
MD5

1ca0fbd832f9f7cdc0e50b29bd0d970f

SHA1

9be6a2bc9df78f4566e5690e2f1bb696ae96cb48

SHA256

690c488a9902978f2ef05aa23d21f4fa30a52dd9d11191f9b49667cd08618d87

Malware Config
Signatures 5

Filter: none

  • Program crash
    WerFault.exe

    Reported IOCs

    pidpid_targetprocesstarget process
    11442040WerFault.exerundll32.exe
  • Suspicious behavior: EnumeratesProcesses
    WerFault.exe

    Reported IOCs

    pidprocess
    1144WerFault.exe
    1144WerFault.exe
    1144WerFault.exe
    1144WerFault.exe
  • Suspicious behavior: GetForegroundWindowSpam
    WerFault.exe

    Reported IOCs

    pidprocess
    1144WerFault.exe
  • Suspicious use of AdjustPrivilegeToken
    WerFault.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1144WerFault.exe
  • Suspicious use of WriteProcessMemory
    rundll32.exerundll32.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1652 wrote to memory of 20401652rundll32.exerundll32.exe
    PID 1652 wrote to memory of 20401652rundll32.exerundll32.exe
    PID 1652 wrote to memory of 20401652rundll32.exerundll32.exe
    PID 1652 wrote to memory of 20401652rundll32.exerundll32.exe
    PID 1652 wrote to memory of 20401652rundll32.exerundll32.exe
    PID 1652 wrote to memory of 20401652rundll32.exerundll32.exe
    PID 1652 wrote to memory of 20401652rundll32.exerundll32.exe
    PID 2040 wrote to memory of 11442040rundll32.exeWerFault.exe
    PID 2040 wrote to memory of 11442040rundll32.exeWerFault.exe
    PID 2040 wrote to memory of 11442040rundll32.exeWerFault.exe
    PID 2040 wrote to memory of 11442040rundll32.exeWerFault.exe
Processes 3
  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\690c488a9902978f2ef05aa23d21f4fa30a52dd9d11191f9b49667cd08618d87.bin.dll,#1
    Suspicious use of WriteProcessMemory
    PID:1652
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\690c488a9902978f2ef05aa23d21f4fa30a52dd9d11191f9b49667cd08618d87.bin.dll,#1
      Suspicious use of WriteProcessMemory
      PID:2040
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 224
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        PID:1144
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads
                          • memory/1144-62-0x0000000000000000-mapping.dmp

                          • memory/1144-64-0x00000000003C0000-0x00000000003C1000-memory.dmp

                          • memory/2040-60-0x0000000000000000-mapping.dmp

                          • memory/2040-61-0x00000000754F1000-0x00000000754F3000-memory.dmp