bbe94db3d19640661a2816dc20fa9246330a87ae5e0a06acf5af2bee9151e8aa | Triage

Analysis

max time kernel
170s
max time network
181s
platform
windows10_x64
resource
win10-en-20211208
submitted
24-01-2022 01:11

Sharing

Report Analysis Logs

General

Target

bbe94db3d19640661a2816dc20fa9246330a87ae5e0a06acf5af2bee9151e8aa.dll
Size

164KB
MD5

d5e7b612e272ffbe50f93f7618487157
SHA1

10b4e3d0c27f49ac5c2258967051ecdc8374a5f8
SHA256

bbe94db3d19640661a2816dc20fa9246330a87ae5e0a06acf5af2bee9151e8aa
SHA512

3a5d27998dc28f438d25173628416fcd4aacd2e3ab505d2e1fb6d52c89215b066c350acb341f167c4ba51ea5ab4c6cbeb56d93d0c20a7c6f37e6f3cbd74eadbd

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 1328 created 4060 1328 WerFault.exe rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1328 4060 WerFault.exe rundll32.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

WerFault.exe

pid	process
1328	WerFault.exe
1328	WerFault.exe
1328	WerFault.exe
1328	WerFault.exe
1328	WerFault.exe
1328	WerFault.exe
1328	WerFault.exe
1328	WerFault.exe
1328	WerFault.exe
1328	WerFault.exe
1328	WerFault.exe
1328	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 1328 WerFault.exe
Token: SeBackupPrivilege 1328 WerFault.exe
Token: SeDebugPrivilege 1328 WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3992 wrote to memory of 4060	3992	rundll32.exe	rundll32.exe
PID 3992 wrote to memory of 4060	3992	rundll32.exe	rundll32.exe
PID 3992 wrote to memory of 4060	3992	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bbe94db3d19640661a2816dc20fa9246330a87ae5e0a06acf5af2bee9151e8aa.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3992

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bbe94db3d19640661a2816dc20fa9246330a87ae5e0a06acf5af2bee9151e8aa.dll,#1
2⤵
PID:4060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 784
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1328

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4060-173-0x00000000005F0000-0x00000000005FA000-memory.dmp

Filesize
40KB

Download
memory/4060-175-0x0000000000800000-0x000000000094A000-memory.dmp

Filesize
1.3MB

Download
memory/4060-177-0x0000000000800000-0x000000000094A000-memory.dmp

Filesize
1.3MB

Download
memory/4060-236-0x0000000000AA0000-0x0000000000AA6000-memory.dmp

Filesize
24KB

Download