Analysis
-
max time kernel
126s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
11-11-2020 11:29
Static task
static1
Behavioral task
behavioral1
Sample
bfd535639bc0b0b056a84695c1bbcc58d9e2af184b36fd43460a1f52d47b17a1.exe
Resource
win7v20201028
General
-
Target
bfd535639bc0b0b056a84695c1bbcc58d9e2af184b36fd43460a1f52d47b17a1.exe
-
Size
647KB
-
MD5
83f234e0bcace527114b482b1dbacdd2
-
SHA1
63ec5686ccc7ff8ac0e2767e8cfb78e80c6b1a4e
-
SHA256
bfd535639bc0b0b056a84695c1bbcc58d9e2af184b36fd43460a1f52d47b17a1
-
SHA512
7ad47ed7875014d35deb62b51f14cd8925deb25cc8404073d53dc5f00204e8b5b9a25a4b04b795bc276f3abebda26731d63985ec25c0464149fd49280d2bda48
Malware Config
Signatures
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 12 ip-api.com -
Program crash 7 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 2924 3980 WerFault.exe bfd535639bc0b0b056a84695c1bbcc58d9e2af184b36fd43460a1f52d47b17a1.exe 3928 3980 WerFault.exe bfd535639bc0b0b056a84695c1bbcc58d9e2af184b36fd43460a1f52d47b17a1.exe 4036 3980 WerFault.exe bfd535639bc0b0b056a84695c1bbcc58d9e2af184b36fd43460a1f52d47b17a1.exe 188 3980 WerFault.exe bfd535639bc0b0b056a84695c1bbcc58d9e2af184b36fd43460a1f52d47b17a1.exe 2600 3980 WerFault.exe bfd535639bc0b0b056a84695c1bbcc58d9e2af184b36fd43460a1f52d47b17a1.exe 648 3980 WerFault.exe bfd535639bc0b0b056a84695c1bbcc58d9e2af184b36fd43460a1f52d47b17a1.exe 3988 3980 WerFault.exe bfd535639bc0b0b056a84695c1bbcc58d9e2af184b36fd43460a1f52d47b17a1.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
bfd535639bc0b0b056a84695c1bbcc58d9e2af184b36fd43460a1f52d47b17a1.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 bfd535639bc0b0b056a84695c1bbcc58d9e2af184b36fd43460a1f52d47b17a1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString bfd535639bc0b0b056a84695c1bbcc58d9e2af184b36fd43460a1f52d47b17a1.exe -
Suspicious behavior: EnumeratesProcesses 105 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid process 2924 WerFault.exe 2924 WerFault.exe 2924 WerFault.exe 2924 WerFault.exe 2924 WerFault.exe 2924 WerFault.exe 2924 WerFault.exe 2924 WerFault.exe 2924 WerFault.exe 2924 WerFault.exe 2924 WerFault.exe 2924 WerFault.exe 2924 WerFault.exe 2924 WerFault.exe 3928 WerFault.exe 3928 WerFault.exe 3928 WerFault.exe 3928 WerFault.exe 3928 WerFault.exe 3928 WerFault.exe 3928 WerFault.exe 3928 WerFault.exe 3928 WerFault.exe 3928 WerFault.exe 3928 WerFault.exe 3928 WerFault.exe 3928 WerFault.exe 3928 WerFault.exe 4036 WerFault.exe 4036 WerFault.exe 4036 WerFault.exe 4036 WerFault.exe 4036 WerFault.exe 4036 WerFault.exe 4036 WerFault.exe 4036 WerFault.exe 4036 WerFault.exe 4036 WerFault.exe 4036 WerFault.exe 4036 WerFault.exe 4036 WerFault.exe 4036 WerFault.exe 188 WerFault.exe 188 WerFault.exe 188 WerFault.exe 188 WerFault.exe 188 WerFault.exe 188 WerFault.exe 188 WerFault.exe 188 WerFault.exe 188 WerFault.exe 188 WerFault.exe 188 WerFault.exe 188 WerFault.exe 188 WerFault.exe 188 WerFault.exe 2600 WerFault.exe 2600 WerFault.exe 2600 WerFault.exe 2600 WerFault.exe 2600 WerFault.exe 2600 WerFault.exe 2600 WerFault.exe 2600 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription pid process Token: SeRestorePrivilege 2924 WerFault.exe Token: SeBackupPrivilege 2924 WerFault.exe Token: SeDebugPrivilege 2924 WerFault.exe Token: SeDebugPrivilege 3928 WerFault.exe Token: SeDebugPrivilege 4036 WerFault.exe Token: SeDebugPrivilege 188 WerFault.exe Token: SeDebugPrivilege 2600 WerFault.exe Token: SeDebugPrivilege 648 WerFault.exe Token: SeDebugPrivilege 3988 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bfd535639bc0b0b056a84695c1bbcc58d9e2af184b36fd43460a1f52d47b17a1.exe"C:\Users\Admin\AppData\Local\Temp\bfd535639bc0b0b056a84695c1bbcc58d9e2af184b36fd43460a1f52d47b17a1.exe"1⤵
- Checks processor information in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 8122⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 9322⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 10762⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 11362⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 10482⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 11122⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 12122⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/188-14-0x0000000004190000-0x0000000004191000-memory.dmpFilesize
4KB
-
memory/188-17-0x0000000004940000-0x0000000004941000-memory.dmpFilesize
4KB
-
memory/648-75-0x0000000004320000-0x0000000004321000-memory.dmpFilesize
4KB
-
memory/2600-22-0x0000000004D50000-0x0000000004D51000-memory.dmpFilesize
4KB
-
memory/2600-18-0x00000000045A0000-0x00000000045A1000-memory.dmpFilesize
4KB
-
memory/2924-5-0x0000000005500000-0x0000000005501000-memory.dmpFilesize
4KB
-
memory/2924-3-0x0000000004D50000-0x0000000004D51000-memory.dmpFilesize
4KB
-
memory/2924-2-0x0000000004D50000-0x0000000004D51000-memory.dmpFilesize
4KB
-
memory/3928-9-0x0000000005310000-0x0000000005311000-memory.dmpFilesize
4KB
-
memory/3928-6-0x0000000004BE0000-0x0000000004BE1000-memory.dmpFilesize
4KB
-
memory/3980-0-0x0000000001002000-0x0000000001003000-memory.dmpFilesize
4KB
-
memory/3980-1-0x00000000014C0000-0x00000000014C1000-memory.dmpFilesize
4KB
-
memory/3988-79-0x0000000004190000-0x0000000004191000-memory.dmpFilesize
4KB
-
memory/3988-82-0x0000000004C50000-0x0000000004C51000-memory.dmpFilesize
4KB
-
memory/4036-10-0x0000000004890000-0x0000000004891000-memory.dmpFilesize
4KB
-
memory/4036-13-0x0000000004EC0000-0x0000000004EC1000-memory.dmpFilesize
4KB