2fa7b5a60cd1a8b67b09a13e09529fe399d2f3f62c5591badaccf5d3a052289f | Triage

Analysis

max time kernel
121s
max time network
153s
platform
windows10_x64
resource
win10-en-20211208
submitted
24-01-2022 02:20

Sharing

Report Analysis Logs

General

Target

2fa7b5a60cd1a8b67b09a13e09529fe399d2f3f62c5591badaccf5d3a052289f.dll
Size

164KB
MD5

5fa2e3adcd15792d66654130fcf47744
SHA1

1df8a5fb27139fb5ca5cf0f5921e4e9808ee97a1
SHA256

2fa7b5a60cd1a8b67b09a13e09529fe399d2f3f62c5591badaccf5d3a052289f
SHA512

41ddd0647a56174e9953322236892a4b6db133503bf6421b6dcfa24f103f584be0e6000fe574e69293468b72e4191bd95a18dbaa9add6fc11ce20b022c0aa37e

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 1600 created 3692 1600 WerFault.exe rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1600 3692 WerFault.exe rundll32.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

WerFault.exe

pid	process
1600	WerFault.exe
1600	WerFault.exe
1600	WerFault.exe
1600	WerFault.exe
1600	WerFault.exe
1600	WerFault.exe
1600	WerFault.exe
1600	WerFault.exe
1600	WerFault.exe
1600	WerFault.exe
1600	WerFault.exe
1600	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 1600 WerFault.exe
Token: SeBackupPrivilege 1600 WerFault.exe
Token: SeDebugPrivilege 1600 WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1284 wrote to memory of 3692	1284	rundll32.exe	rundll32.exe
PID 1284 wrote to memory of 3692	1284	rundll32.exe	rundll32.exe
PID 1284 wrote to memory of 3692	1284	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2fa7b5a60cd1a8b67b09a13e09529fe399d2f3f62c5591badaccf5d3a052289f.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1284

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2fa7b5a60cd1a8b67b09a13e09529fe399d2f3f62c5591badaccf5d3a052289f.dll,#1
2⤵
PID:3692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3692 -s 812
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1600

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3692-209-0x0000000000D40000-0x0000000000E8A000-memory.dmp

Filesize
1.3MB

Download
memory/3692-210-0x0000000000D40000-0x0000000000E8A000-memory.dmp

Filesize
1.3MB

Download
memory/3692-211-0x0000000000D40000-0x0000000000E8A000-memory.dmp

Filesize
1.3MB

Download