7047df7a1efe3c1cecc26445b59ac74fd912c9e77ee01f74d653dd20d5edbd0d | Triage

Analysis

max time kernel
122s
max time network
159s
platform
windows10_x64
resource
win10-en-20211208
submitted
24-01-2022 01:51

Sharing

Report Analysis Logs

General

Target

7047df7a1efe3c1cecc26445b59ac74fd912c9e77ee01f74d653dd20d5edbd0d.dll
Size

161KB
MD5

8ff4df6e75d5337a6ad5e7af26ea1bb5
SHA1

740dd9d6004d7ac7b5f95c4f9c2cb57378417625
SHA256

7047df7a1efe3c1cecc26445b59ac74fd912c9e77ee01f74d653dd20d5edbd0d
SHA512

7ddb52565142e7b1906c2dcd3deebcdd1e8d8878ad84ab5054870072a2fc1fc1b42860125f28134ec0f7abc207d9a82fe5608039591f91fa624af28b9a5bf1ab

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 3008 created 2752 3008 WerFault.exe rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3008 2752 WerFault.exe rundll32.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

WerFault.exe

pid	process
3008	WerFault.exe
3008	WerFault.exe
3008	WerFault.exe
3008	WerFault.exe
3008	WerFault.exe
3008	WerFault.exe
3008	WerFault.exe
3008	WerFault.exe
3008	WerFault.exe
3008	WerFault.exe
3008	WerFault.exe
3008	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3008 WerFault.exe
Token: SeBackupPrivilege 3008 WerFault.exe
Token: SeDebugPrivilege 3008 WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 920 wrote to memory of 2752	920	rundll32.exe	rundll32.exe
PID 920 wrote to memory of 2752	920	rundll32.exe	rundll32.exe
PID 920 wrote to memory of 2752	920	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7047df7a1efe3c1cecc26445b59ac74fd912c9e77ee01f74d653dd20d5edbd0d.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:920

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7047df7a1efe3c1cecc26445b59ac74fd912c9e77ee01f74d653dd20d5edbd0d.dll,#1
2⤵
PID:2752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 744
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3008

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2752-118-0x0000000005A10000-0x0000000005A33000-memory.dmp

Filesize
140KB

Download
memory/2752-119-0x0000000005A10000-0x0000000005A33000-memory.dmp

Filesize
140KB

Download
memory/2752-120-0x0000000005A10000-0x0000000005A33000-memory.dmp

Filesize
140KB

Download
memory/2752-121-0x0000000005AC0000-0x0000000005AC1000-memory.dmp

Filesize
4KB

Download