c88f8d086be8dd345babad15c76490ef889af7eaecb015f3107ff039f0ed5f2d | Triage

Analysis

max time kernel
116s
max time network
119s
platform
windows10_x64
resource
win10v20210408
submitted
22-09-2021 11:39

Sharing

Report Analysis Logs

General

Target

7574.dll
Size

68KB
MD5

5f5aed43a3ee55f2727f1c1470a6db32
SHA1

7574a3cb7c27bd548e93309b0401e7ce48d22d76
SHA256

c88f8d086be8dd345babad15c76490ef889af7eaecb015f3107ff039f0ed5f2d
SHA512

a3912fb654538c73c57c9a60b8a67e60b2446f1c5824d068613722a576bdcd26ef8ea121ffb4831b140049cecafd49e6879426dab7312c9e7a7283e9ebd4ae7f

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 780 created 2996 780 WerFault.exe rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

780 2996 WerFault.exe rundll32.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
780	WerFault.exe
780	WerFault.exe
780	WerFault.exe
780	WerFault.exe
780	WerFault.exe
780	WerFault.exe
780	WerFault.exe
780	WerFault.exe
780	WerFault.exe
780	WerFault.exe
780	WerFault.exe
780	WerFault.exe
780	WerFault.exe
780	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 780 WerFault.exe
Token: SeBackupPrivilege 780 WerFault.exe
Token: SeDebugPrivilege 780 WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 776 wrote to memory of 2996	776	rundll32.exe	rundll32.exe
PID 776 wrote to memory of 2996	776	rundll32.exe	rundll32.exe
PID 776 wrote to memory of 2996	776	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7574.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:776

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7574.dll,#1
2⤵
PID:2996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 596
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:780

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2996-114-0x0000000000000000-mapping.dmp

Download