b10cc7b88d7a76bbb5f22fd3cad50e351c902e1d16daaf9135f44b9571e533eb | Triage

Analysis

max time kernel
141s
max time network
166s
platform
windows10_x64
resource
win10-en-20211208
submitted
24-01-2022 01:17

Sharing

Report Analysis Logs

General

Target

b10cc7b88d7a76bbb5f22fd3cad50e351c902e1d16daaf9135f44b9571e533eb.dll
Size

164KB
MD5

f8663767268e48d6bd4591772463120c
SHA1

5acfd215ddfe0e23d9b7ca4d0cf058d0c2af3a8c
SHA256

b10cc7b88d7a76bbb5f22fd3cad50e351c902e1d16daaf9135f44b9571e533eb
SHA512

caec157bea4fd5063f510cb34019c6379114f70aea8da690dbb1aefe06b4fe05b367bb67027ab2c2a18f2db0fe8c700280af1f571cd0c41d88a101923b323345

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 2012 created 2420 2012 WerFault.exe rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2012 2420 WerFault.exe rundll32.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
2012	WerFault.exe
2012	WerFault.exe
2012	WerFault.exe
2012	WerFault.exe
2012	WerFault.exe
2012	WerFault.exe
2012	WerFault.exe
2012	WerFault.exe
2012	WerFault.exe
2012	WerFault.exe
2012	WerFault.exe
2012	WerFault.exe
2012	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2012 WerFault.exe
Token: SeBackupPrivilege 2012 WerFault.exe
Token: SeDebugPrivilege 2012 WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2168 wrote to memory of 2420	2168	rundll32.exe	rundll32.exe
PID 2168 wrote to memory of 2420	2168	rundll32.exe	rundll32.exe
PID 2168 wrote to memory of 2420	2168	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b10cc7b88d7a76bbb5f22fd3cad50e351c902e1d16daaf9135f44b9571e533eb.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2168

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b10cc7b88d7a76bbb5f22fd3cad50e351c902e1d16daaf9135f44b9571e533eb.dll,#1
2⤵
PID:2420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 744
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2012

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2420-118-0x0000000002F20000-0x0000000003064000-memory.dmp

Filesize
1.3MB

Download
memory/2420-119-0x0000000003070000-0x0000000003093000-memory.dmp

Filesize
140KB

Download
memory/2420-120-0x0000000006030000-0x0000000006036000-memory.dmp

Filesize
24KB

Download