Analysis
-
max time kernel
131s -
max time network
111s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
15-11-2020 22:42
Static task
static1
Behavioral task
behavioral1
Sample
de763f9328ac80cc69b3a48038fb2d9564e35d3ba7900ec30fb8620b9dc7d1fb.exe
Resource
win7v20201028
General
-
Target
de763f9328ac80cc69b3a48038fb2d9564e35d3ba7900ec30fb8620b9dc7d1fb.exe
-
Size
647KB
-
MD5
dd7a4ea55e1db3432506b4394150a1e1
-
SHA1
d0484e079e1af25d720d2108e2abd6e17ad755dd
-
SHA256
de763f9328ac80cc69b3a48038fb2d9564e35d3ba7900ec30fb8620b9dc7d1fb
-
SHA512
d7edf1e611c4bb3ef1246672bac5160549f51fec04cc209d15cf96537fb8239e6cf4710c5d69c13836c6d2d317aea974096e8d719f5ecb8a6a89386edd4cec8b
Malware Config
Signatures
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 ip-api.com -
Program crash 7 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4084 3372 WerFault.exe de763f9328ac80cc69b3a48038fb2d9564e35d3ba7900ec30fb8620b9dc7d1fb.exe 4056 3372 WerFault.exe de763f9328ac80cc69b3a48038fb2d9564e35d3ba7900ec30fb8620b9dc7d1fb.exe 760 3372 WerFault.exe de763f9328ac80cc69b3a48038fb2d9564e35d3ba7900ec30fb8620b9dc7d1fb.exe 2328 3372 WerFault.exe de763f9328ac80cc69b3a48038fb2d9564e35d3ba7900ec30fb8620b9dc7d1fb.exe 2756 3372 WerFault.exe de763f9328ac80cc69b3a48038fb2d9564e35d3ba7900ec30fb8620b9dc7d1fb.exe 3120 3372 WerFault.exe de763f9328ac80cc69b3a48038fb2d9564e35d3ba7900ec30fb8620b9dc7d1fb.exe 3204 3372 WerFault.exe de763f9328ac80cc69b3a48038fb2d9564e35d3ba7900ec30fb8620b9dc7d1fb.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
de763f9328ac80cc69b3a48038fb2d9564e35d3ba7900ec30fb8620b9dc7d1fb.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 de763f9328ac80cc69b3a48038fb2d9564e35d3ba7900ec30fb8620b9dc7d1fb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString de763f9328ac80cc69b3a48038fb2d9564e35d3ba7900ec30fb8620b9dc7d1fb.exe -
Suspicious behavior: EnumeratesProcesses 105 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid process 4084 WerFault.exe 4084 WerFault.exe 4084 WerFault.exe 4084 WerFault.exe 4084 WerFault.exe 4084 WerFault.exe 4084 WerFault.exe 4084 WerFault.exe 4084 WerFault.exe 4084 WerFault.exe 4084 WerFault.exe 4084 WerFault.exe 4084 WerFault.exe 4084 WerFault.exe 4056 WerFault.exe 4056 WerFault.exe 4056 WerFault.exe 4056 WerFault.exe 4056 WerFault.exe 4056 WerFault.exe 4056 WerFault.exe 4056 WerFault.exe 4056 WerFault.exe 4056 WerFault.exe 4056 WerFault.exe 4056 WerFault.exe 4056 WerFault.exe 4056 WerFault.exe 760 WerFault.exe 760 WerFault.exe 760 WerFault.exe 760 WerFault.exe 760 WerFault.exe 760 WerFault.exe 760 WerFault.exe 760 WerFault.exe 760 WerFault.exe 760 WerFault.exe 760 WerFault.exe 760 WerFault.exe 760 WerFault.exe 760 WerFault.exe 2328 WerFault.exe 2328 WerFault.exe 2328 WerFault.exe 2328 WerFault.exe 2328 WerFault.exe 2328 WerFault.exe 2328 WerFault.exe 2328 WerFault.exe 2328 WerFault.exe 2328 WerFault.exe 2328 WerFault.exe 2328 WerFault.exe 2328 WerFault.exe 2328 WerFault.exe 2756 WerFault.exe 2756 WerFault.exe 2756 WerFault.exe 2756 WerFault.exe 2756 WerFault.exe 2756 WerFault.exe 2756 WerFault.exe 2756 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription pid process Token: SeRestorePrivilege 4084 WerFault.exe Token: SeBackupPrivilege 4084 WerFault.exe Token: SeDebugPrivilege 4084 WerFault.exe Token: SeDebugPrivilege 4056 WerFault.exe Token: SeDebugPrivilege 760 WerFault.exe Token: SeDebugPrivilege 2328 WerFault.exe Token: SeDebugPrivilege 2756 WerFault.exe Token: SeDebugPrivilege 3120 WerFault.exe Token: SeDebugPrivilege 3204 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\de763f9328ac80cc69b3a48038fb2d9564e35d3ba7900ec30fb8620b9dc7d1fb.exe"C:\Users\Admin\AppData\Local\Temp\de763f9328ac80cc69b3a48038fb2d9564e35d3ba7900ec30fb8620b9dc7d1fb.exe"1⤵
- Checks processor information in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 7802⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 9242⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 10562⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 9242⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 10962⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 11522⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 11042⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/760-10-0x00000000047E0000-0x00000000047E1000-memory.dmpFilesize
4KB
-
memory/760-13-0x0000000004D10000-0x0000000004D11000-memory.dmpFilesize
4KB
-
memory/2328-17-0x0000000005140000-0x0000000005141000-memory.dmpFilesize
4KB
-
memory/2328-14-0x0000000004B10000-0x0000000004B11000-memory.dmpFilesize
4KB
-
memory/2756-21-0x00000000055D0000-0x00000000055D1000-memory.dmpFilesize
4KB
-
memory/2756-18-0x00000000050A0000-0x00000000050A1000-memory.dmpFilesize
4KB
-
memory/3120-24-0x0000000005050000-0x0000000005051000-memory.dmpFilesize
4KB
-
memory/3120-27-0x0000000005780000-0x0000000005781000-memory.dmpFilesize
4KB
-
memory/3204-28-0x0000000004D30000-0x0000000004D31000-memory.dmpFilesize
4KB
-
memory/3204-31-0x0000000005880000-0x0000000005881000-memory.dmpFilesize
4KB
-
memory/3372-1-0x0000000001290000-0x0000000001291000-memory.dmpFilesize
4KB
-
memory/3372-0-0x0000000001001000-0x0000000001002000-memory.dmpFilesize
4KB
-
memory/4056-6-0x0000000004F30000-0x0000000004F31000-memory.dmpFilesize
4KB
-
memory/4056-9-0x0000000005460000-0x0000000005461000-memory.dmpFilesize
4KB
-
memory/4084-5-0x0000000004B80000-0x0000000004B81000-memory.dmpFilesize
4KB
-
memory/4084-3-0x0000000004450000-0x0000000004451000-memory.dmpFilesize
4KB
-
memory/4084-2-0x0000000004450000-0x0000000004451000-memory.dmpFilesize
4KB