87c9af30e4480f00871bfc3df9b9e60b4893579cc5392ebf4fcb96ab5ba1c851 | Triage

Analysis

max time kernel
175s
max time network
175s
platform
windows10_x64
resource
win10-en-20211208
submitted
24-01-2022 01:39

Sharing

Report Analysis Logs

General

Target

87c9af30e4480f00871bfc3df9b9e60b4893579cc5392ebf4fcb96ab5ba1c851.dll
Size

164KB
MD5

3fdf7b8a34ece9a0a844749262415a93
SHA1

42668023abd7c4eab24909adb101826af897320e
SHA256

87c9af30e4480f00871bfc3df9b9e60b4893579cc5392ebf4fcb96ab5ba1c851
SHA512

2dfa4f9a5c98bf2c85faefd859bef7719c53c914d718f4531ee6a68806a40ad7157491dcf948a1a4e7b890f7d8ca5d7ea662b42adffb85d9795d7d0463d155c4

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 2976 created 3044 2976 WerFault.exe rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2976 3044 WerFault.exe rundll32.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

WerFault.exe

pid	process
2976	WerFault.exe
2976	WerFault.exe
2976	WerFault.exe
2976	WerFault.exe
2976	WerFault.exe
2976	WerFault.exe
2976	WerFault.exe
2976	WerFault.exe
2976	WerFault.exe
2976	WerFault.exe
2976	WerFault.exe
2976	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2976 WerFault.exe
Token: SeBackupPrivilege 2976 WerFault.exe
Token: SeDebugPrivilege 2976 WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2344 wrote to memory of 3044	2344	rundll32.exe	rundll32.exe
PID 2344 wrote to memory of 3044	2344	rundll32.exe	rundll32.exe
PID 2344 wrote to memory of 3044	2344	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\87c9af30e4480f00871bfc3df9b9e60b4893579cc5392ebf4fcb96ab5ba1c851.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2344

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\87c9af30e4480f00871bfc3df9b9e60b4893579cc5392ebf4fcb96ab5ba1c851.dll,#1
2⤵
PID:3044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 796
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2976

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3044-115-0x0000000003040000-0x0000000003294000-memory.dmp

Filesize
2.3MB

Download
memory/3044-116-0x0000000005F10000-0x0000000005F33000-memory.dmp

Filesize
140KB

Download
memory/3044-117-0x0000000005FD0000-0x0000000005FD6000-memory.dmp

Filesize
24KB

Download