ec042ea8b6b6a94678df7612bffa69082e772b6c9d8a57b0bc89bc1258046b80

General

Target

ec042ea8b6b6a94678df7612bffa69082e772b6c9d8a57b0bc89bc1258046b80
Sample

191025-fs2a5gpl12
SHA256

ec042ea8b6b6a94678df7612bffa69082e772b6c9d8a57b0bc89bc1258046b80

Score

N/A

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process
Token: SeRestorePrivilege	4308	WerFault.exe
Token: SeBackupPrivilege	4308	WerFault.exe
Token: SeDebugPrivilege	4308	WerFault.exe
Token: SeDebugPrivilege	3200	WerFault.exe
Token: SeDebugPrivilege	4684	WerFault.exe
Token: SeDebugPrivilege	4668	WerFault.exe
Token: SeDebugPrivilege	4788	WerFault.exe
Token: SeDebugPrivilege	3944	WerFault.exe
Token: SeDebugPrivilege	4296	WerFault.exe
Token: SeDebugPrivilege	2948	WerFault.exe
Token: SeDebugPrivilege	4264	WerFault.exe
Token: SeDebugPrivilege	524	WerFault.exe

Drops file in system dir 5 IoCs

Processes:

svchost.exe

description	ioc	pid	process
File opened for modification	C:\Windows\Debug\ESE.TXT	4944	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	4944	svchost.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	4944	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp	4944	svchost.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp	4944	svchost.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

svchost.exeSppExtComObj.exe

description	pid	process	target process
PID 3028 wrote to memory of 4308	3028	svchost.exe	WerFault.exe
PID 3028 wrote to memory of 3200	3028	svchost.exe	WerFault.exe
PID 3028 wrote to memory of 4684	3028	svchost.exe	WerFault.exe
PID 3028 wrote to memory of 4668	3028	svchost.exe	WerFault.exe
PID 3028 wrote to memory of 4788	3028	svchost.exe	WerFault.exe
PID 3028 wrote to memory of 3944	3028	svchost.exe	WerFault.exe
PID 4456 wrote to memory of 4404	4456	SppExtComObj.exe	SLUI.exe
PID 3028 wrote to memory of 4296	3028	svchost.exe	WerFault.exe
PID 3028 wrote to memory of 2948	3028	svchost.exe	WerFault.exe
PID 3028 wrote to memory of 4264	3028	svchost.exe	WerFault.exe
PID 3028 wrote to memory of 524	3028	svchost.exe	WerFault.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

WerFault.exesvchost.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	process
4308	WerFault.exe
3028	svchost.exe
3200	WerFault.exe
4684	WerFault.exe
4668	WerFault.exe
4788	WerFault.exe
3944	WerFault.exe
4296	WerFault.exe
2948	WerFault.exe
4264	WerFault.exe
524	WerFault.exe

Checks system information in the registry (likely anti-VM) 2 TTPs 22 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exesvchost.exe

description	ioc	pid	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	4308	WerFault.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	4308	WerFault.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	3200	WerFault.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	3200	WerFault.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	4684	WerFault.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	4684	WerFault.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	4668	WerFault.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	4668	WerFault.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	4788	WerFault.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	4788	WerFault.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	3944	WerFault.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	3944	WerFault.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	4296	WerFault.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	4296	WerFault.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	2948	WerFault.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	2948	WerFault.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	4264	WerFault.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	4264	WerFault.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	524	WerFault.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	524	WerFault.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	3664	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	3664	svchost.exe

Modifies service 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	pid	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BITS\Performance\PerfMMFileName = "Global\\MMF_BITSf126f066-1d7c-4113-a5ef-7c421ff61d21"	4944	svchost.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	pid	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "0"	4448	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "1"	4448	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

ec042ea8b6b6a94678df7612bffa69082e772b6c9d8a57b0bc89bc1258046b80.exe

pid process

5040 ec042ea8b6b6a94678df7612bffa69082e772b6c9d8a57b0bc89bc1258046b80.exe
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 3028 created 5040 3028 svchost.exe ec042ea8b6b6a94678df7612bffa69082e772b6c9d8a57b0bc89bc1258046b80.exe

pid	process
5040	ec042ea8b6b6a94678df7612bffa69082e772b6c9d8a57b0bc89bc1258046b80.exe

description	pid	process	target process
PID 3028 created 5040	3028	svchost.exe	ec042ea8b6b6a94678df7612bffa69082e772b6c9d8a57b0bc89bc1258046b80.exe

Program crash 10 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	process
4308	WerFault.exe
3200	WerFault.exe
4684	WerFault.exe
4668	WerFault.exe
4788	WerFault.exe
3944	WerFault.exe
4296	WerFault.exe
2948	WerFault.exe
4264	WerFault.exe
524	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\ec042ea8b6b6a94678df7612bffa69082e772b6c9d8a57b0bc89bc1258046b80.exe
"C:\Users\Admin\AppData\Local\Temp\ec042ea8b6b6a94678df7612bffa69082e772b6c9d8a57b0bc89bc1258046b80.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5040

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:3028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 340
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Checks system information in the registry (likely anti-VM)
- Program crash
PID:4308

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s WdiSystemHost
1⤵
PID:1968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s PcaSvc
1⤵
PID:4468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 736
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Checks system information in the registry (likely anti-VM)
- Program crash
PID:3200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 716
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Checks system information in the registry (likely anti-VM)
- Program crash
PID:4684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 740
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Checks system information in the registry (likely anti-VM)
- Program crash
PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 956
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Checks system information in the registry (likely anti-VM)
- Program crash
PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 996
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Checks system information in the registry (likely anti-VM)
- Program crash
PID:3944

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:4456

C:\Windows\System32\SLUI.exe
"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
1⤵
PID:4404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 1140
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Checks system information in the registry (likely anti-VM)
- Program crash
PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 1100
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Checks system information in the registry (likely anti-VM)
- Program crash
PID:2948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 1244
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Checks system information in the registry (likely anti-VM)
- Program crash
PID:4264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 1284
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Checks system information in the registry (likely anti-VM)
- Program crash
PID:524

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Drops file in system dir
- Modifies service
PID:4944

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:4632

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DoSvc
1⤵
- Checks system information in the registry (likely anti-VM)
PID:3664

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup
1⤵
PID:3772

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc
1⤵
- Windows security modification
PID:4448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

MITRE ATT&CK Additional techniques

T1031
T1089

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4BE.tmp.csv

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4DE.tmp.txt

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAC6C.tmp.csv

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAC8C.tmp.txt

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB5A6.tmp.csv

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB643.tmp.txt

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB8F3.tmp.csv

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB952.tmp.txt

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBC41.tmp.csv

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBC5.tmp.csv

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBC90.tmp.txt

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBDF9.tmp.csv

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBEF4.tmp.txt

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC14.tmp.txt

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC260.tmp.csv

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC280.tmp.txt

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC56F.tmp.csv

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC58F.tmp.txt

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC820.tmp.csv

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC87F.tmp.txt

Download Submit
memory/524-62-0x00000000052C0000-0x00000000052C1000-memory.dmp

Filesize
4KB

Download
memory/524-63-0x00000000053B0000-0x00000000053B1000-memory.dmp

Filesize
4KB

Download
memory/524-61-0x0000000004820000-0x0000000004821000-memory.dmp

Filesize
4KB

Download
memory/2948-48-0x0000000004130000-0x0000000004131000-memory.dmp

Filesize
4KB

Download
memory/2948-51-0x0000000004A90000-0x0000000004A91000-memory.dmp

Filesize
4KB

Download
memory/2948-52-0x0000000004B90000-0x0000000004B91000-memory.dmp

Filesize
4KB

Download
memory/3200-12-0x00000000048C0000-0x00000000048C1000-memory.dmp

Filesize
4KB

Download
memory/3200-9-0x0000000003F00000-0x0000000003F01000-memory.dmp

Filesize
4KB

Download
memory/3200-13-0x00000000049B0000-0x00000000049B1000-memory.dmp

Filesize
4KB

Download
memory/3944-37-0x0000000004250000-0x0000000004251000-memory.dmp

Filesize
4KB

Download
memory/3944-38-0x0000000004A50000-0x0000000004A51000-memory.dmp

Filesize
4KB

Download
memory/3944-39-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/4264-55-0x0000000004900000-0x0000000004901000-memory.dmp

Filesize
4KB

Download
memory/4264-57-0x00000000053D0000-0x00000000053D1000-memory.dmp

Filesize
4KB

Download
memory/4264-56-0x00000000052E0000-0x00000000052E1000-memory.dmp

Filesize
4KB

Download
memory/4296-45-0x0000000004E00000-0x0000000004E01000-memory.dmp

Filesize
4KB

Download
memory/4296-44-0x0000000004D10000-0x0000000004D11000-memory.dmp

Filesize
4KB

Download
memory/4296-43-0x00000000045C0000-0x00000000045C1000-memory.dmp

Filesize
4KB

Download
memory/4308-2-0x00000000046E0000-0x00000000046E1000-memory.dmp

Filesize
4KB

Download
memory/4308-3-0x0000000004EF0000-0x0000000004EF1000-memory.dmp

Filesize
4KB

Download
memory/4308-4-0x0000000004EF0000-0x0000000004EF1000-memory.dmp

Filesize
4KB

Download
memory/4308-6-0x0000000004FE0000-0x0000000004FE1000-memory.dmp

Filesize
4KB

Download
memory/4668-28-0x00000000053E0000-0x00000000053E1000-memory.dmp

Filesize
4KB

Download
memory/4668-25-0x0000000005250000-0x0000000005251000-memory.dmp

Filesize
4KB

Download
memory/4668-24-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download
memory/4668-21-0x0000000004990000-0x0000000004991000-memory.dmp

Filesize
4KB

Download
memory/4684-16-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

Filesize
4KB

Download
memory/4684-18-0x00000000055A0000-0x00000000055A1000-memory.dmp

Filesize
4KB

Download
memory/4684-17-0x00000000054B0000-0x00000000054B1000-memory.dmp

Filesize
4KB

Download
memory/4788-33-0x0000000005680000-0x0000000005681000-memory.dmp

Filesize
4KB

Download
memory/4788-32-0x0000000005590000-0x0000000005591000-memory.dmp

Filesize
4KB

Download
memory/4788-31-0x0000000004E90000-0x0000000004E91000-memory.dmp

Filesize
4KB

Download
memory/5040-0-0x0000000000525000-0x0000000000568000-memory.dmp

Filesize
268KB

Download
memory/5040-1-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

MITRE ATT&CK Additional techniques

Replay Monitor

Loading Replay Monitor...

Downloads