3fa703e1d556c84938fa6260fd19c812b4a05a582df95ed8cf2e4eb494f74fde | Triage

Analysis

max time kernel
15s
max time network
15s
platform
windows7_x64
resource
win7-en-20211208
submitted
08-01-2022 12:24

Sharing

Report Analysis Logs

General

Target

libcef.dll
Size

1.5MB
MD5

9d78d3951d228f3c0a343e4754b80abc
SHA1

53fbc461990975c05e368807496343176976949f
SHA256

e91bece5ca4dd53ddcf926b4d132905124d214457f86e0ed4dd01d904907cef4
SHA512

2d510b3d39ef66bf18bd9c44688a738eca18ae11c13fa65c4988e98da3b11337fd568b1169db36cb4aaa19440a1a110c63e0387c3efc19c0118fabef33addff2

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1460 944 WerFault.exe rundll32.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

WerFault.exe

pid process

1460 WerFault.exe
1460 WerFault.exe
1460 WerFault.exe
1460 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1460 WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 944 wrote to memory of 1460	944	rundll32.exe	WerFault.exe
PID 944 wrote to memory of 1460	944	rundll32.exe	WerFault.exe
PID 944 wrote to memory of 1460	944	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\libcef.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:944

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 944 -s 84
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1460

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1460-53-0x0000000000000000-mapping.dmp

Download
memory/1460-54-0x000007FEFBE11000-0x000007FEFBE13000-memory.dmp

Filesize
8KB

Download
memory/1460-55-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download