394a8f52740bf387008548ca3e8e47b890e3a5c5f208f5fbde6fd57e5a25bdb1 | Triage

Analysis

max time kernel
122s
max time network
142s
platform
windows10_x64
resource
win10-en-20211208
submitted
24-12-2021 11:10

Sharing

Report Analysis Logs

General

Target

394a8f52740bf387008548ca3e8e47b890e3a5c5f208f5fbde6fd57e5a25bdb1.bin.dll
Size

5KB
MD5

d56443c835e68547256b2b8ce64fcd73
SHA1

ca817b7459c98c25a5d845f8734d3227430520b3
SHA256

394a8f52740bf387008548ca3e8e47b890e3a5c5f208f5fbde6fd57e5a25bdb1
SHA512

aae457f9b572c985e0fdd2c5d47ff3b5dae05211e53e693f261abee6c5a3ef71a02521250b19f606099e3c4e4f07ac0c7440b9a118fa075de9cd0a06f970936d

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1000 972 WerFault.exe rundll32.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

WerFault.exe

pid	process
1000	WerFault.exe
1000	WerFault.exe
1000	WerFault.exe
1000	WerFault.exe
1000	WerFault.exe
1000	WerFault.exe
1000	WerFault.exe
1000	WerFault.exe
1000	WerFault.exe
1000	WerFault.exe
1000	WerFault.exe
1000	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 1000 WerFault.exe
Token: SeBackupPrivilege 1000 WerFault.exe
Token: SeDebugPrivilege 1000 WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3716 wrote to memory of 972	3716	rundll32.exe	rundll32.exe
PID 3716 wrote to memory of 972	3716	rundll32.exe	rundll32.exe
PID 3716 wrote to memory of 972	3716	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\394a8f52740bf387008548ca3e8e47b890e3a5c5f208f5fbde6fd57e5a25bdb1.bin.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3716

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\394a8f52740bf387008548ca3e8e47b890e3a5c5f208f5fbde6fd57e5a25bdb1.bin.dll,#1
2⤵
PID:972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 616
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1000

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/972-118-0x0000000000000000-mapping.dmp

Download