00d015edbfb34e16b5b4086d25174ae435ca86d8cd267e0ed9b32db7d1d8ae2f | Triage

Analysis

max time kernel
153s
max time network
153s
platform
windows10_x64
resource
win10-en-20211208
submitted
24-01-2022 02:37

Sharing

Report Analysis Logs

General

Target

00d015edbfb34e16b5b4086d25174ae435ca86d8cd267e0ed9b32db7d1d8ae2f.dll
Size

161KB
MD5

02e667fbc2ab33b814022f294d7df889
SHA1

156d93406425afb0b3a0c3a1343cefe4631fd35a
SHA256

00d015edbfb34e16b5b4086d25174ae435ca86d8cd267e0ed9b32db7d1d8ae2f
SHA512

f02ac4351cdd49379113f640d2869148aa19c867bf64118b166b21490781dbf354a6d06229dd6868b928931f1c46e1f6eebb021c6c08b687d58d8e46fc372024

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 592 created 3716 592 WerFault.exe rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

592 3716 WerFault.exe rundll32.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

WerFault.exe

pid	process
592	WerFault.exe
592	WerFault.exe
592	WerFault.exe
592	WerFault.exe
592	WerFault.exe
592	WerFault.exe
592	WerFault.exe
592	WerFault.exe
592	WerFault.exe
592	WerFault.exe
592	WerFault.exe
592	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 592 WerFault.exe
Token: SeBackupPrivilege 592 WerFault.exe
Token: SeDebugPrivilege 592 WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3372 wrote to memory of 3716	3372	rundll32.exe	rundll32.exe
PID 3372 wrote to memory of 3716	3372	rundll32.exe	rundll32.exe
PID 3372 wrote to memory of 3716	3372	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\00d015edbfb34e16b5b4086d25174ae435ca86d8cd267e0ed9b32db7d1d8ae2f.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3372

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\00d015edbfb34e16b5b4086d25174ae435ca86d8cd267e0ed9b32db7d1d8ae2f.dll,#1
2⤵
PID:3716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 700
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:592

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3716-117-0x0000000004230000-0x0000000004253000-memory.dmp

Filesize
140KB

Download
memory/3716-118-0x0000000004230000-0x0000000004253000-memory.dmp

Filesize
140KB

Download
memory/3716-119-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/3716-120-0x0000000004400000-0x0000000004406000-memory.dmp

Filesize
24KB

Download