25b317eee0f008753b9c9c2de0efec5976493b89d30d91a5a65a4bf32a4872ce | Triage

Analysis

max time kernel
117s
max time network
123s
platform
windows10_x64
resource
win10-en-20211208
submitted
27-12-2021 09:09

Sharing

Report Analysis Logs

General

Target

tmp/25b317eee0f008753b9c9c2de0efec5976493b89d30d91a5a65a4bf32a4872ce.exe.dll
Size

117KB
MD5

06d3cb4ee8904249183e9193654f3aa8
SHA1

fc8b81a18f0b8705ac695b1bdd47290ff0cf97f4
SHA256

25b317eee0f008753b9c9c2de0efec5976493b89d30d91a5a65a4bf32a4872ce
SHA512

3f53e742f1f1bd0ad42cf9c8c6ffc79153579194d3b378336a047097925b937d4d56859474a91381c5788d093b9389ad02685905057dde19841da7bf6e53ff95

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2260 2700 WerFault.exe regsvr32.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

WerFault.exe

pid	process
2260	WerFault.exe
2260	WerFault.exe
2260	WerFault.exe
2260	WerFault.exe
2260	WerFault.exe
2260	WerFault.exe
2260	WerFault.exe
2260	WerFault.exe
2260	WerFault.exe
2260	WerFault.exe
2260	WerFault.exe
2260	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2260 WerFault.exe
Token: SeBackupPrivilege 2260 WerFault.exe
Token: SeDebugPrivilege 2260 WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 2692 wrote to memory of 2700	2692	regsvr32.exe	regsvr32.exe
PID 2692 wrote to memory of 2700	2692	regsvr32.exe	regsvr32.exe
PID 2692 wrote to memory of 2700	2692	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\tmp\25b317eee0f008753b9c9c2de0efec5976493b89d30d91a5a65a4bf32a4872ce.exe.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2692

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\tmp\25b317eee0f008753b9c9c2de0efec5976493b89d30d91a5a65a4bf32a4872ce.exe.dll
2⤵
PID:2700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 612
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2260

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2700-115-0x0000000000000000-mapping.dmp

Download