Analysis
-
max time kernel
69s -
max time network
72s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
25/07/2020, 16:17
Static task
static1
Behavioral task
behavioral1
Sample
c192d040bcbc2c2e77698410a3f9ad1caf2b9d2a4842b4a16eb09f3446493a9c.bin.exe
Resource
win7
Behavioral task
behavioral2
Sample
c192d040bcbc2c2e77698410a3f9ad1caf2b9d2a4842b4a16eb09f3446493a9c.bin.exe
Resource
win10v200722
General
-
Target
c192d040bcbc2c2e77698410a3f9ad1caf2b9d2a4842b4a16eb09f3446493a9c.bin.exe
-
Size
915KB
-
MD5
76d274c823439cf02f18a0deccfe70c5
-
SHA1
1cd7cd1fc0f7890da57af806e67061d2022abcd4
-
SHA256
af53e36a62f237597b47d34349e40c16a3682a492fe7c320c7e834f6247e078a
-
SHA512
a094877fd2fe166517446eeb2134268fedfeaacba20cd7b964adf7f34affba675fa598c4f9d2689342e07d2bcd8a0e08d2f11202cfd00abffea679bb9d300c48
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3816 c192d040bcbc2c2e77698410a3f9ad1caf2b9d2a4842b4a16eb09f3446493a9c.bin.exe Token: SeRestorePrivilege 1004 WerFault.exe Token: SeBackupPrivilege 1004 WerFault.exe Token: SeDebugPrivilege 1004 WerFault.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1004 3816 WerFault.exe 65 -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 1004 WerFault.exe 1004 WerFault.exe 1004 WerFault.exe 1004 WerFault.exe 1004 WerFault.exe 1004 WerFault.exe 1004 WerFault.exe 1004 WerFault.exe 1004 WerFault.exe 1004 WerFault.exe 1004 WerFault.exe 1004 WerFault.exe 1004 WerFault.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion c192d040bcbc2c2e77698410a3f9ad1caf2b9d2a4842b4a16eb09f3446493a9c.bin.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion c192d040bcbc2c2e77698410a3f9ad1caf2b9d2a4842b4a16eb09f3446493a9c.bin.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum c192d040bcbc2c2e77698410a3f9ad1caf2b9d2a4842b4a16eb09f3446493a9c.bin.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 c192d040bcbc2c2e77698410a3f9ad1caf2b9d2a4842b4a16eb09f3446493a9c.bin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c192d040bcbc2c2e77698410a3f9ad1caf2b9d2a4842b4a16eb09f3446493a9c.bin.exe"C:\Users\Admin\AppData\Local\Temp\c192d040bcbc2c2e77698410a3f9ad1caf2b9d2a4842b4a16eb09f3446493a9c.bin.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Checks BIOS information in registry
- Maps connected drives based on registry
PID:3816 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3816 -s 16042⤵
- Suspicious use of AdjustPrivilegeToken
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:1004
-