8b61cadaeda4c14d7bd9e7990c6620e111809cd57ea0ea222063b0cff1f6c316

General

Target

werkernel.exe
Size

448KB
MD5

c4dd780560091c8d2da429c7c689f84b
SHA1

a2e36c89eb4cddccc4d73bf0525a0da46258d8a0
SHA256

8b61cadaeda4c14d7bd9e7990c6620e111809cd57ea0ea222063b0cff1f6c316
SHA512

56c000112a85912ec495350604644224af57921e0cfa0f7c405b6edd74e104a2a014164547f3f001e348e79deebc8a6a0918311f2a42a733eb862a64ceabf08f
SSDEEP

12288:f9V25AA7SLpRf7yuuVpqC//7S4wpkNoWFscHGO:f9OAvHf7yuepq8znwq5FsqGO

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

werkernel.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	werkernel.exe

Loads dropped DLL 1 IoCs

Processes:

dwm.exe

pid process

4760 dwm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4760	dwm.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

dwm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

dwm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

Processes:

dwm.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

werkernel.exewerkernel.exewerkernel.exedwm.exe

pid	process
3932	werkernel.exe
3932	werkernel.exe
3932	werkernel.exe
3932	werkernel.exe
3932	werkernel.exe
3932	werkernel.exe
3932	werkernel.exe
3932	werkernel.exe
2364	werkernel.exe
2364	werkernel.exe
2364	werkernel.exe
2364	werkernel.exe
2364	werkernel.exe
2364	werkernel.exe
2364	werkernel.exe
2364	werkernel.exe
4980	werkernel.exe
4980	werkernel.exe
4980	werkernel.exe
4980	werkernel.exe
4980	werkernel.exe
4980	werkernel.exe
4980	werkernel.exe
4980	werkernel.exe
4760	dwm.exe
4760	dwm.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

dwm.exe

description	pid	process
Token: SeCreateGlobalPrivilege	4760	dwm.exe
Token: SeChangeNotifyPrivilege	4760	dwm.exe
Token: 33	4760	dwm.exe
Token: SeIncBasePriorityPrivilege	4760	dwm.exe
Token: SeShutdownPrivilege	4760	dwm.exe
Token: SeCreatePagefilePrivilege	4760	dwm.exe
Token: SeShutdownPrivilege	4760	dwm.exe
Token: SeCreatePagefilePrivilege	4760	dwm.exe
Token: SeShutdownPrivilege	4760	dwm.exe
Token: SeCreatePagefilePrivilege	4760	dwm.exe
Token: SeShutdownPrivilege	4760	dwm.exe
Token: SeCreatePagefilePrivilege	4760	dwm.exe
Token: SeShutdownPrivilege	4760	dwm.exe
Token: SeCreatePagefilePrivilege	4760	dwm.exe
Token: SeShutdownPrivilege	4760	dwm.exe
Token: SeCreatePagefilePrivilege	4760	dwm.exe
Token: SeShutdownPrivilege	4760	dwm.exe
Token: SeCreatePagefilePrivilege	4760	dwm.exe
Token: SeShutdownPrivilege	4760	dwm.exe
Token: SeCreatePagefilePrivilege	4760	dwm.exe
Token: SeShutdownPrivilege	4760	dwm.exe
Token: SeCreatePagefilePrivilege	4760	dwm.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

werkernel.exewerkernel.exewerkernel.exe

description	pid	process	target process
PID 3932 wrote to memory of 2364	3932	werkernel.exe	werkernel.exe
PID 3932 wrote to memory of 2364	3932	werkernel.exe	werkernel.exe
PID 2364 wrote to memory of 4980	2364	werkernel.exe	werkernel.exe
PID 2364 wrote to memory of 4980	2364	werkernel.exe	werkernel.exe
PID 4980 wrote to memory of 440	4980	werkernel.exe	cmd.exe
PID 4980 wrote to memory of 440	4980	werkernel.exe	cmd.exe
PID 4980 wrote to memory of 1824	4980	werkernel.exe	cmd.exe
PID 4980 wrote to memory of 1824	4980	werkernel.exe	cmd.exe
PID 4980 wrote to memory of 1548	4980	werkernel.exe	cmd.exe
PID 4980 wrote to memory of 1548	4980	werkernel.exe	cmd.exe
PID 4980 wrote to memory of 3436	4980	werkernel.exe	cmd.exe
PID 4980 wrote to memory of 3436	4980	werkernel.exe	cmd.exe
PID 4980 wrote to memory of 1816	4980	werkernel.exe	cmd.exe
PID 4980 wrote to memory of 1816	4980	werkernel.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\werkernel.exe
"C:\Users\Admin\AppData\Local\Temp\werkernel.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3932

C:\Users\Admin\AppData\Local\Temp\werkernel.exe
C:\Users\Admin\AppData\Local\Temp\werkernel.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2364

C:\Users\Admin\AppData\Local\Temp\werkernel.exe
C:\Users\Admin\AppData\Local\Temp\werkernel.exe
3⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4980

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
4⤵
PID:440

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
4⤵
PID:1824

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
4⤵
PID:1548

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
4⤵
PID:3436

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
4⤵
PID:1816

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4760

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Documents\s1.dll
Filesize
326KB

MD5
3b402bf2f6c71870316ef98f542de4ab

SHA1
9649fab1fa0ed9a9023296a94044290e8943b07e

SHA256
d0ba0bcc57bf35cd469ffaf352cf950d04358d1d64e127fb9fd05f21d264598d

SHA512
15a0fa3acdefc0c9cd57463c43ba2a25f63c75a75107a4b3b97c852fec320732b8d097f01a181a80e5a83655f7fca9b6faca8a8455029f2acce3d948071afe29

Download Submit
memory/2364-5-0x00000234CCA10000-0x00000234CCA5E000-memory.dmp

Filesize
312KB

Download
memory/3932-0-0x00007FFABAF30000-0x00007FFABAF31000-memory.dmp

Filesize
4KB

Download
memory/3932-2-0x0000022A88F40000-0x0000022A88F8E000-memory.dmp

Filesize
312KB

Download
memory/4760-10-0x0000022B85820000-0x0000022B8585A000-memory.dmp

Filesize
232KB

Download
memory/4760-12-0x0000022B85860000-0x0000022B8589F000-memory.dmp

Filesize
252KB

Download
memory/4980-20-0x000001D756870000-0x000001D7568BE000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads