98d17731ce6eba2772c94fbe5b740cbd83b5d5b0da6809c265ff3dc0da391163 | Triage

Resubmissions

28-02-2022 15:51

220228-tardcagaan 10

06-08-2021 12:19

210806-hnjccvz1gs 3

Analysis

max time kernel
89s
max time network
201s
platform
windows10_x64
resource
win10-en-20211208
submitted
28-02-2022 15:51

Sharing

Report Analysis Logs

General

Target

98d17731ce6eba2772c94fbe5b740cbd83b5d5b0da6809c265ff3dc0da391163.dll
Size

81KB
MD5

5a9d40558e6c795e24935b9040354e6a
SHA1

52b07a8c5d3163299a0844d802258ccc62b16dff
SHA256

98d17731ce6eba2772c94fbe5b740cbd83b5d5b0da6809c265ff3dc0da391163
SHA512

67e43c79f5fdc53fb694d4f186d0766cbd9358416a843d91680af6513485430c82970ae6d5a53b375d984bae93ebd8177e45470e9b6fe0943505010e18f4c4ac

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2504 1684 WerFault.exe rundll32.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
2504	WerFault.exe
2504	WerFault.exe
2504	WerFault.exe
2504	WerFault.exe
2504	WerFault.exe
2504	WerFault.exe
2504	WerFault.exe
2504	WerFault.exe
2504	WerFault.exe
2504	WerFault.exe
2504	WerFault.exe
2504	WerFault.exe
2504	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2504 WerFault.exe
Token: SeBackupPrivilege 2504 WerFault.exe
Token: SeDebugPrivilege 2504 WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2032 wrote to memory of 1684	2032	rundll32.exe	rundll32.exe
PID 2032 wrote to memory of 1684	2032	rundll32.exe	rundll32.exe
PID 2032 wrote to memory of 1684	2032	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\98d17731ce6eba2772c94fbe5b740cbd83b5d5b0da6809c265ff3dc0da391163.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\98d17731ce6eba2772c94fbe5b740cbd83b5d5b0da6809c265ff3dc0da391163.dll,#1
2⤵
PID:1684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 620
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2504

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...