e9964d0f6bcb438ae78ffce9a93359a48de8c8150d7eadde22578385f9fb42ad | Triage

Analysis

max time kernel
118s
max time network
124s
platform
windows10_x64
resource
win10-en-20211208
submitted
23-12-2021 09:04

Sharing

Report Analysis Logs

General

Target

tmp/e9964d0f6bcb438ae78ffce9a93359a48de8c8150d7eadde22578385f9fb42ad.exe.dll
Size

117KB
MD5

a44471e5bb6e5577698c0aff854f0bf1
SHA1

fee0a1f386c4b543d0de1797593ab04c17ae0262
SHA256

e9964d0f6bcb438ae78ffce9a93359a48de8c8150d7eadde22578385f9fb42ad
SHA512

6537f97a150544456f502270dc23320ff7f2e025d2bf808c5624a6a2d1c6a06a64c7651b421ab7bea297eeff86417eb0d48fda74231182841f8e4cc5c55de5e0

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2328 668 WerFault.exe regsvr32.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

WerFault.exe

pid	process
2328	WerFault.exe
2328	WerFault.exe
2328	WerFault.exe
2328	WerFault.exe
2328	WerFault.exe
2328	WerFault.exe
2328	WerFault.exe
2328	WerFault.exe
2328	WerFault.exe
2328	WerFault.exe
2328	WerFault.exe
2328	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2328 WerFault.exe
Token: SeBackupPrivilege 2328 WerFault.exe
Token: SeDebugPrivilege 2328 WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 3312 wrote to memory of 668	3312	regsvr32.exe	regsvr32.exe
PID 3312 wrote to memory of 668	3312	regsvr32.exe	regsvr32.exe
PID 3312 wrote to memory of 668	3312	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\tmp\e9964d0f6bcb438ae78ffce9a93359a48de8c8150d7eadde22578385f9fb42ad.exe.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:3312

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\tmp\e9964d0f6bcb438ae78ffce9a93359a48de8c8150d7eadde22578385f9fb42ad.exe.dll
2⤵
PID:668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 668 -s 612
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2328

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/668-115-0x0000000000000000-mapping.dmp

Download