General
Target
Filesize
Completed
Task
0x000100000001ab31-114.dat.dll
11KB
01-12-2021 18:27
behavioral1
Score
3/10
MD5
SHA1
SHA256
SHA256
fccff8cb7a1067e23fd2e2b63971a8e1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
Malware Config
Signatures 5
Filter: none
-
Program crashWerFault.exe
Reported IOCs
pid pid_target process target process 1500 1176 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcessesWerFault.exe
Reported IOCs
pid process 1500 WerFault.exe 1500 WerFault.exe 1500 WerFault.exe 1500 WerFault.exe 1500 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpamWerFault.exe
Reported IOCs
pid process 1500 WerFault.exe -
Suspicious use of AdjustPrivilegeTokenWerFault.exe
Reported IOCs
description pid process Token: SeDebugPrivilege 1500 WerFault.exe -
Suspicious use of WriteProcessMemoryrundll32.exerundll32.exe
Reported IOCs
description pid process target process PID 1060 wrote to memory of 1176 1060 rundll32.exe rundll32.exe PID 1060 wrote to memory of 1176 1060 rundll32.exe rundll32.exe PID 1060 wrote to memory of 1176 1060 rundll32.exe rundll32.exe PID 1060 wrote to memory of 1176 1060 rundll32.exe rundll32.exe PID 1060 wrote to memory of 1176 1060 rundll32.exe rundll32.exe PID 1060 wrote to memory of 1176 1060 rundll32.exe rundll32.exe PID 1060 wrote to memory of 1176 1060 rundll32.exe rundll32.exe PID 1176 wrote to memory of 1500 1176 rundll32.exe WerFault.exe PID 1176 wrote to memory of 1500 1176 rundll32.exe WerFault.exe PID 1176 wrote to memory of 1500 1176 rundll32.exe WerFault.exe PID 1176 wrote to memory of 1500 1176 rundll32.exe WerFault.exe
Processes 3
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0x000100000001ab31-114.dat.dll,#1Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0x000100000001ab31-114.dat.dll,#1Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 224Program crashSuspicious behavior: EnumeratesProcessesSuspicious behavior: GetForegroundWindowSpamSuspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Replay Monitor
00:00
00:00
Downloads
-
memory/1176-55-0x0000000000000000-mapping.dmp
-
memory/1176-56-0x0000000075821000-0x0000000075823000-memory.dmp
-
memory/1500-57-0x0000000000000000-mapping.dmp
-
memory/1500-59-0x0000000000550000-0x0000000000551000-memory.dmp
Title
Loading data