d7a15f872a64811b74f40992df2f45f7f800ee88775e50cc0ab02d7d9247de51 | Triage

Analysis

max time kernel
162s
max time network
177s
platform
windows10_x64
resource
win10-en-20211208
submitted
24-01-2022 00:56

Sharing

Report Analysis Logs

General

Target

d7a15f872a64811b74f40992df2f45f7f800ee88775e50cc0ab02d7d9247de51.dll
Size

164KB
MD5

7d202172c49d60aa1847d90bd284114f
SHA1

1cab5eedcd7390806332a2f25d264e79395e1005
SHA256

d7a15f872a64811b74f40992df2f45f7f800ee88775e50cc0ab02d7d9247de51
SHA512

a4cc0b5645d44d13fab043b20602dc9730d36825f75df19743f1d26821dd1c5a7f86d4f2470702d46368032db72a3087484afff768ba7a3441029f75d91b5dfb

Score

3^/10

Malware Config

Signatures

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3960 2176 WerFault.exe rundll32.exe
1016 2176 WerFault.exe rundll32.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

WerFault.exe

pid	process
1016	WerFault.exe
1016	WerFault.exe
1016	WerFault.exe
1016	WerFault.exe
1016	WerFault.exe
1016	WerFault.exe
1016	WerFault.exe
1016	WerFault.exe
1016	WerFault.exe
1016	WerFault.exe
1016	WerFault.exe
1016	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 1016 WerFault.exe
Token: SeBackupPrivilege 1016 WerFault.exe
Token: SeDebugPrivilege 1016 WerFault.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1440 wrote to memory of 2176	1440	rundll32.exe	rundll32.exe
PID 1440 wrote to memory of 2176	1440	rundll32.exe	rundll32.exe
PID 1440 wrote to memory of 2176	1440	rundll32.exe	rundll32.exe
PID 2176 wrote to memory of 3960	2176	rundll32.exe	WerFault.exe
PID 2176 wrote to memory of 3960	2176	rundll32.exe	WerFault.exe
PID 2176 wrote to memory of 3960	2176	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d7a15f872a64811b74f40992df2f45f7f800ee88775e50cc0ab02d7d9247de51.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1440

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d7a15f872a64811b74f40992df2f45f7f800ee88775e50cc0ab02d7d9247de51.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:2176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 652
3⤵
- Program crash
PID:3960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 652
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1016

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...