4301e7b9930f5dd947d54f9f3bf287eb4e925c31942ecf0eab4a0c79c29fd39d | Triage

Analysis

max time kernel
122s
max time network
122s
platform
windows10_x64
resource
win10-en-20211208
submitted
27-12-2021 09:13

Sharing

Report Analysis Logs

General

Target

tmp/4301e7b9930f5dd947d54f9f3bf287eb4e925c31942ecf0eab4a0c79c29fd39d.exe.dll
Size

132KB
MD5

7eff73c1b8448ce059f5b3be69ca05ca
SHA1

e7e851d35d466ce5302531749df6bcc8dcb46d6d
SHA256

4301e7b9930f5dd947d54f9f3bf287eb4e925c31942ecf0eab4a0c79c29fd39d
SHA512

da95c4518f109ef36ff09f7f468f8afc92f44686346ee0546be276fb9d77cecba7c60955d1a4ed170c7446bdd40fd0791ceb57e77531f13f1e33f221aec72b38

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4112 3528 WerFault.exe rundll32.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

WerFault.exe

pid	process
4112	WerFault.exe
4112	WerFault.exe
4112	WerFault.exe
4112	WerFault.exe
4112	WerFault.exe
4112	WerFault.exe
4112	WerFault.exe
4112	WerFault.exe
4112	WerFault.exe
4112	WerFault.exe
4112	WerFault.exe
4112	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 4112 WerFault.exe
Token: SeBackupPrivilege 4112 WerFault.exe
Token: SeDebugPrivilege 4112 WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3536 wrote to memory of 3528	3536	rundll32.exe	rundll32.exe
PID 3536 wrote to memory of 3528	3536	rundll32.exe	rundll32.exe
PID 3536 wrote to memory of 3528	3536	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\tmp\4301e7b9930f5dd947d54f9f3bf287eb4e925c31942ecf0eab4a0c79c29fd39d.exe.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3536

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\tmp\4301e7b9930f5dd947d54f9f3bf287eb4e925c31942ecf0eab4a0c79c29fd39d.exe.dll,#1
2⤵
PID:3528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 620
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4112

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3528-115-0x0000000000000000-mapping.dmp

Download