0d19f60423cb2128555e831dc340152f9588c99f3e47d64f0bb4206a6213d579

Resubmissions

22-11-2022 18:16

221122-wwfvvace62 10

09-01-2020 09:55

200109-9cw38n1aex 10

Analysis

max time kernel
101s
resource
win10v191014
submitted
09-01-2020 09:55

Sharing

Copy URL

Twitter E-mail

General

Target

0d19f60423cb2128555e831dc340152f9588c99f3e47d64f0bb4206a6213d579
Sample

200109-9cw38n1aex
SHA256

0d19f60423cb2128555e831dc340152f9588c99f3e47d64f0bb4206a6213d579

Score

10^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Program crash 2 IoCs

pid	Process
5044	WerFault.exe
4680	WerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	5044	WerFault.exe
Token: SeBackupPrivilege	5044	WerFault.exe
Token: SeDebugPrivilege	5044	WerFault.exe
Token: SeDebugPrivilege	4680	WerFault.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5044	WerFault.exe
4680	WerFault.exe

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4680 created 4988	4680	WerFault.exe	71

C:\Users\Admin\AppData\Local\Temp\0d19f60423cb2128555e831dc340152f9588c99f3e47d64f0bb4206a6213d579.exe
"C:\Users\Admin\AppData\Local\Temp\0d19f60423cb2128555e831dc340152f9588c99f3e47d64f0bb4206a6213d579.exe"
1⤵
PID:4988
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 616
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:5044
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 608
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of NtCreateProcessExOtherParentProcess
  PID:4680

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4680-994-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/4680-1015-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/4680-1016-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/4680-995-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/4680-1014-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/4680-1013-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/4680-959-0x0000000004990000-0x0000000004991000-memory.dmp

Filesize
4KB

Download
memory/4680-960-0x0000000004990000-0x0000000004991000-memory.dmp

Filesize
4KB

Download
memory/4680-961-0x00000000051F0000-0x00000000051F1000-memory.dmp

Filesize
4KB

Download
memory/4680-981-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/4680-982-0x00000000052E0000-0x00000000052E1000-memory.dmp

Filesize
4KB

Download
memory/4680-983-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/4680-984-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/4680-985-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/4680-986-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/4680-987-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/4680-988-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/4680-996-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/4680-990-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/4680-991-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/4680-992-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/4680-993-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/4680-1012-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/4680-1011-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/4680-989-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/4680-997-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/4680-998-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/4680-999-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/4680-1000-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/4680-1001-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/4680-1002-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/4680-1003-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/4680-1004-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/4680-1005-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/4680-1006-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/4680-1007-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/4680-1008-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/4680-1009-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/4680-1010-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/5044-2-0x0000000005730000-0x0000000005731000-memory.dmp

Filesize
4KB

Download
memory/5044-954-0x0000000005730000-0x0000000005731000-memory.dmp

Filesize
4KB

Download
memory/5044-958-0x0000000005AC0000-0x0000000005AC1000-memory.dmp

Filesize
4KB

Download
memory/5044-956-0x00000000056C0000-0x00000000056C1000-memory.dmp

Filesize
4KB

Download
memory/5044-0-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

Filesize
4KB

Download
memory/5044-952-0x0000000005730000-0x0000000005731000-memory.dmp

Filesize
4KB

Download