37410f45bab40e0d5e8e2160b480d928c975fadbe423be884678b924d66871d2 | Triage

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-en-20211208
submitted
02-03-2022 13:37

Sharing

Report Analysis Logs

General

Target

1.dll
Size

901KB
MD5

8371d1c15af2ffa8111deef437997d79
SHA1

d4b427988b2876546c2e00329ac1b9ba3905c9b8
SHA256

37410f45bab40e0d5e8e2160b480d928c975fadbe423be884678b924d66871d2
SHA512

d09c4b72f2f9219d12cb2735a835382b1fb5c4e0f8487a5b025494a7576780c893e48f713b5986d93328fe92642ca47794d1fca95cf65c1cb1835daab17db23a

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
836	1652	WerFault.exe	26

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
836	WerFault.exe
836	WerFault.exe
836	WerFault.exe
836	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
836	WerFault.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	836	WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 836	1652	regsvr32.exe	27
PID 1652 wrote to memory of 836	1652	regsvr32.exe	27
PID 1652 wrote to memory of 836	1652	regsvr32.exe	27

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\1.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1652 -s 240
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:836

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/836-56-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/1652-54-0x000007FEFC401000-0x000007FEFC403000-memory.dmp

Filesize
8KB

Download