af53e36a62f237597b47d34349e40c16a3682a492fe7c320c7e834f6247e078a

General

Target

c192d040bcbc2c2e77698410a3f9ad1caf2b9d2a4842b4a16eb09f3446493a9c.bin.exe
Size

915KB
MD5

76d274c823439cf02f18a0deccfe70c5
SHA1

1cd7cd1fc0f7890da57af806e67061d2022abcd4
SHA256

af53e36a62f237597b47d34349e40c16a3682a492fe7c320c7e834f6247e078a
SHA512

a094877fd2fe166517446eeb2134268fedfeaacba20cd7b964adf7f34affba675fa598c4f9d2689342e07d2bcd8a0e08d2f11202cfd00abffea679bb9d300c48

Score

9^/10

evasion

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3816	c192d040bcbc2c2e77698410a3f9ad1caf2b9d2a4842b4a16eb09f3446493a9c.bin.exe
Token: SeRestorePrivilege	1004	WerFault.exe
Token: SeBackupPrivilege	1004	WerFault.exe
Token: SeDebugPrivilege	1004	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1004	3816	WerFault.exe	65

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1004	WerFault.exe
1004	WerFault.exe
1004	WerFault.exe
1004	WerFault.exe
1004	WerFault.exe
1004	WerFault.exe
1004	WerFault.exe
1004	WerFault.exe
1004	WerFault.exe
1004	WerFault.exe
1004	WerFault.exe
1004	WerFault.exe
1004	WerFault.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	c192d040bcbc2c2e77698410a3f9ad1caf2b9d2a4842b4a16eb09f3446493a9c.bin.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	c192d040bcbc2c2e77698410a3f9ad1caf2b9d2a4842b4a16eb09f3446493a9c.bin.exe

Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	c192d040bcbc2c2e77698410a3f9ad1caf2b9d2a4842b4a16eb09f3446493a9c.bin.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	c192d040bcbc2c2e77698410a3f9ad1caf2b9d2a4842b4a16eb09f3446493a9c.bin.exe

C:\Users\Admin\AppData\Local\Temp\c192d040bcbc2c2e77698410a3f9ad1caf2b9d2a4842b4a16eb09f3446493a9c.bin.exe
"C:\Users\Admin\AppData\Local\Temp\c192d040bcbc2c2e77698410a3f9ad1caf2b9d2a4842b4a16eb09f3446493a9c.bin.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Checks BIOS information in registry
- Maps connected drives based on registry
PID:3816
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3816 -s 1604
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  PID:1004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1004-0-0x0000000004870000-0x0000000004871000-memory.dmp

Filesize
4KB

Download
memory/1004-1-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads