e77b1f4456e8e8709e8c0e0aff0003af3767ffe7846afa878664407831290743 | Triage

Analysis

max time kernel
124s
max time network
165s
platform
windows10_x64
resource
win10-en-20211208
submitted
24-01-2022 00:47

Sharing

Report Analysis Logs

General

Target

e77b1f4456e8e8709e8c0e0aff0003af3767ffe7846afa878664407831290743.dll
Size

166KB
MD5

f2440c173c422378430d78028a504068
SHA1

f5fe9cd7f7572c44df92f75990ddfb7d28a52560
SHA256

e77b1f4456e8e8709e8c0e0aff0003af3767ffe7846afa878664407831290743
SHA512

b4697427d07de04479e5b689bc146fac49b0b869bd96f457016d76d563c052b3c716327f30201d0e4ef2f97b0d9e1a2e6af37449df8fd9618c3c7735f4538fd3

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 4016 created 3156 4016 WerFault.exe rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4016 3156 WerFault.exe rundll32.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

WerFault.exe

pid	process
4016	WerFault.exe
4016	WerFault.exe
4016	WerFault.exe
4016	WerFault.exe
4016	WerFault.exe
4016	WerFault.exe
4016	WerFault.exe
4016	WerFault.exe
4016	WerFault.exe
4016	WerFault.exe
4016	WerFault.exe
4016	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 4016 WerFault.exe
Token: SeBackupPrivilege 4016 WerFault.exe
Token: SeDebugPrivilege 4016 WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 660 wrote to memory of 3156	660	rundll32.exe	rundll32.exe
PID 660 wrote to memory of 3156	660	rundll32.exe	rundll32.exe
PID 660 wrote to memory of 3156	660	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e77b1f4456e8e8709e8c0e0aff0003af3767ffe7846afa878664407831290743.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:660

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e77b1f4456e8e8709e8c0e0aff0003af3767ffe7846afa878664407831290743.dll,#1
2⤵
PID:3156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 800
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4016

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3156-118-0x0000000000690000-0x000000000073E000-memory.dmp

Filesize
696KB

Download
memory/3156-119-0x00000000006B0000-0x00000000009F4000-memory.dmp

Filesize
3.3MB

Download
memory/3156-120-0x00000000006B0000-0x00000000009F4000-memory.dmp

Filesize
3.3MB

Download
memory/3156-121-0x0000000000E60000-0x0000000000E66000-memory.dmp

Filesize
24KB

Download