General
Target

0x000100000001ab31-114.dat.dll

Filesize

11KB

Completed

01-12-2021 18:27

Task

behavioral1

Score
3/10
MD5

fccff8cb7a1067e23fd2e2b63971a8e1

SHA1

30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256

6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA256

f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Malware Config
Signatures 5

Filter: none

  • Program crash
    WerFault.exe

    Reported IOCs

    pidpid_targetprocesstarget process
    15001176WerFault.exerundll32.exe
  • Suspicious behavior: EnumeratesProcesses
    WerFault.exe

    Reported IOCs

    pidprocess
    1500WerFault.exe
    1500WerFault.exe
    1500WerFault.exe
    1500WerFault.exe
    1500WerFault.exe
  • Suspicious behavior: GetForegroundWindowSpam
    WerFault.exe

    Reported IOCs

    pidprocess
    1500WerFault.exe
  • Suspicious use of AdjustPrivilegeToken
    WerFault.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1500WerFault.exe
  • Suspicious use of WriteProcessMemory
    rundll32.exerundll32.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1060 wrote to memory of 11761060rundll32.exerundll32.exe
    PID 1060 wrote to memory of 11761060rundll32.exerundll32.exe
    PID 1060 wrote to memory of 11761060rundll32.exerundll32.exe
    PID 1060 wrote to memory of 11761060rundll32.exerundll32.exe
    PID 1060 wrote to memory of 11761060rundll32.exerundll32.exe
    PID 1060 wrote to memory of 11761060rundll32.exerundll32.exe
    PID 1060 wrote to memory of 11761060rundll32.exerundll32.exe
    PID 1176 wrote to memory of 15001176rundll32.exeWerFault.exe
    PID 1176 wrote to memory of 15001176rundll32.exeWerFault.exe
    PID 1176 wrote to memory of 15001176rundll32.exeWerFault.exe
    PID 1176 wrote to memory of 15001176rundll32.exeWerFault.exe
Processes 3
  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\0x000100000001ab31-114.dat.dll,#1
    Suspicious use of WriteProcessMemory
    PID:1060
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\0x000100000001ab31-114.dat.dll,#1
      Suspicious use of WriteProcessMemory
      PID:1176
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 224
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        PID:1500
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads
                          • memory/1176-55-0x0000000000000000-mapping.dmp

                          • memory/1176-56-0x0000000075821000-0x0000000075823000-memory.dmp

                          • memory/1500-57-0x0000000000000000-mapping.dmp

                          • memory/1500-59-0x0000000000550000-0x0000000000551000-memory.dmp