a683598387e9e27fb515703b28b7d7abff0f38c78b172c148a4cc71339896cf2 | Triage

Analysis

max time kernel
124s
max time network
144s
platform
windows10_x64
resource
win10-en-20211208
submitted
24-01-2022 01:24

Sharing

Report Analysis Logs

General

Target

a683598387e9e27fb515703b28b7d7abff0f38c78b172c148a4cc71339896cf2.dll
Size

164KB
MD5

63b4982a662c0de086d77a627a8765b1
SHA1

fc4fd68c29463a123891158bbad80f581a12473a
SHA256

a683598387e9e27fb515703b28b7d7abff0f38c78b172c148a4cc71339896cf2
SHA512

5b8a953f8aee68f932477d203c9ddb1f8a0c77cc548a8c004ae972ad2886c076088c2f0b808d0b026607a78b573e18781f9a2fb3fc456a4ad477e858853eae92

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 2716 created 2820 2716 WerFault.exe rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2716 2820 WerFault.exe rundll32.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

WerFault.exe

pid	process
2716	WerFault.exe
2716	WerFault.exe
2716	WerFault.exe
2716	WerFault.exe
2716	WerFault.exe
2716	WerFault.exe
2716	WerFault.exe
2716	WerFault.exe
2716	WerFault.exe
2716	WerFault.exe
2716	WerFault.exe
2716	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2716 WerFault.exe
Token: SeBackupPrivilege 2716 WerFault.exe
Token: SeDebugPrivilege 2716 WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3048 wrote to memory of 2820	3048	rundll32.exe	rundll32.exe
PID 3048 wrote to memory of 2820	3048	rundll32.exe	rundll32.exe
PID 3048 wrote to memory of 2820	3048	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a683598387e9e27fb515703b28b7d7abff0f38c78b172c148a4cc71339896cf2.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3048

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a683598387e9e27fb515703b28b7d7abff0f38c78b172c148a4cc71339896cf2.dll,#1
2⤵
PID:2820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 828
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2716

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2820-116-0x0000000003400000-0x000000000354A000-memory.dmp

Filesize
1.3MB

Download
memory/2820-117-0x0000000003400000-0x000000000354A000-memory.dmp

Filesize
1.3MB

Download
memory/2820-119-0x00000000063D0000-0x00000000063D6000-memory.dmp

Filesize
24KB

Download
memory/2820-118-0x00000000063C0000-0x00000000063C1000-memory.dmp

Filesize
4KB

Download