b2bdb89e7f66ff7bb2bc784e511346f9e0437fa0db0a22f3413283bedc610933 | Triage

Analysis

max time kernel
144s
max time network
152s
platform
windows10_x64
resource
win10-en-20211208
submitted
24-01-2022 01:17

Sharing

Report Analysis Logs

General

Target

b2bdb89e7f66ff7bb2bc784e511346f9e0437fa0db0a22f3413283bedc610933.dll
Size

164KB
MD5

c27bbe2a8ae596a72ddffb87649bf472
SHA1

0e5da9ec26b764caf2f54bc99967346ab47f7e9f
SHA256

b2bdb89e7f66ff7bb2bc784e511346f9e0437fa0db0a22f3413283bedc610933
SHA512

4b4b09f8d30462e4dfebb95e710dd1016633b985b87b9ba5b02cfb445c0a4d72729764a4d6224c9606647840710c9facdcfa777c6007f89ae26848fa50c8c5a2

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

Processes:

WerFault.exeWerFault.exe

description pid process target process

PID 1712 created 2712 1712 WerFault.exe rundll32.exe
PID 1476 created 2712 1476 WerFault.exe rundll32.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1476 2712 WerFault.exe rundll32.exe
1712 2712 WerFault.exe rundll32.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

WerFault.exe

pid	process
1712	WerFault.exe
1712	WerFault.exe
1712	WerFault.exe
1712	WerFault.exe
1712	WerFault.exe
1712	WerFault.exe
1712	WerFault.exe
1712	WerFault.exe
1712	WerFault.exe
1712	WerFault.exe
1712	WerFault.exe
1712	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 1712 WerFault.exe
Token: SeBackupPrivilege 1712 WerFault.exe
Token: SeDebugPrivilege 1712 WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2508 wrote to memory of 2712	2508	rundll32.exe	rundll32.exe
PID 2508 wrote to memory of 2712	2508	rundll32.exe	rundll32.exe
PID 2508 wrote to memory of 2712	2508	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b2bdb89e7f66ff7bb2bc784e511346f9e0437fa0db0a22f3413283bedc610933.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2508

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b2bdb89e7f66ff7bb2bc784e511346f9e0437fa0db0a22f3413283bedc610933.dll,#1
2⤵
PID:2712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 860
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:1476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 736
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1712

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2712-136-0x0000000002F40000-0x0000000002FEE000-memory.dmp

Filesize
696KB

Download
memory/2712-174-0x0000000002FF0000-0x0000000002FF1000-memory.dmp

Filesize
4KB

Download
memory/2712-178-0x0000000003390000-0x0000000003391000-memory.dmp

Filesize
4KB

Download