Analysis
-
max time kernel
130s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
17-11-2020 12:30
Static task
static1
Behavioral task
behavioral1
Sample
83f234e0bcace527114b482b1dbacdd2.exe
Resource
win7v20201028
General
-
Target
83f234e0bcace527114b482b1dbacdd2.exe
-
Size
647KB
-
MD5
0892feb747ffa0d3ba5b07f3873dd5e2
-
SHA1
34516ff7bae5807e8e6db8723599f6c55dd4e9b0
-
SHA256
6bf0d3a73e117b973c2c40ef9139a55e6d07a3ea7cf408d56bfb6f85f8a47049
-
SHA512
fb0ce76fce1572c78751288f9cdce118ba3b53480ff71070c2ed40bf5eac87a2d00f9ca632c6b14f06e64e758f8be2a52aa237e1e16d0aa256ca88f09b73ad71
Malware Config
Signatures
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 ip-api.com -
Program crash 8 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 412 508 WerFault.exe 83f234e0bcace527114b482b1dbacdd2.exe 3608 508 WerFault.exe 83f234e0bcace527114b482b1dbacdd2.exe 4040 508 WerFault.exe 83f234e0bcace527114b482b1dbacdd2.exe 2904 508 WerFault.exe 83f234e0bcace527114b482b1dbacdd2.exe 3012 508 WerFault.exe 83f234e0bcace527114b482b1dbacdd2.exe 1532 508 WerFault.exe 83f234e0bcace527114b482b1dbacdd2.exe 3568 508 WerFault.exe 83f234e0bcace527114b482b1dbacdd2.exe 3864 508 WerFault.exe 83f234e0bcace527114b482b1dbacdd2.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
83f234e0bcace527114b482b1dbacdd2.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 83f234e0bcace527114b482b1dbacdd2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 83f234e0bcace527114b482b1dbacdd2.exe -
Suspicious behavior: EnumeratesProcesses 119 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid process 412 WerFault.exe 412 WerFault.exe 412 WerFault.exe 412 WerFault.exe 412 WerFault.exe 412 WerFault.exe 412 WerFault.exe 412 WerFault.exe 412 WerFault.exe 412 WerFault.exe 412 WerFault.exe 412 WerFault.exe 412 WerFault.exe 412 WerFault.exe 3608 WerFault.exe 3608 WerFault.exe 3608 WerFault.exe 3608 WerFault.exe 3608 WerFault.exe 3608 WerFault.exe 3608 WerFault.exe 3608 WerFault.exe 3608 WerFault.exe 3608 WerFault.exe 3608 WerFault.exe 3608 WerFault.exe 3608 WerFault.exe 3608 WerFault.exe 4040 WerFault.exe 4040 WerFault.exe 4040 WerFault.exe 4040 WerFault.exe 4040 WerFault.exe 4040 WerFault.exe 4040 WerFault.exe 4040 WerFault.exe 4040 WerFault.exe 4040 WerFault.exe 4040 WerFault.exe 4040 WerFault.exe 4040 WerFault.exe 4040 WerFault.exe 2904 WerFault.exe 2904 WerFault.exe 2904 WerFault.exe 2904 WerFault.exe 2904 WerFault.exe 2904 WerFault.exe 2904 WerFault.exe 2904 WerFault.exe 2904 WerFault.exe 2904 WerFault.exe 2904 WerFault.exe 2904 WerFault.exe 2904 WerFault.exe 2904 WerFault.exe 3012 WerFault.exe 3012 WerFault.exe 3012 WerFault.exe 3012 WerFault.exe 3012 WerFault.exe 3012 WerFault.exe 3012 WerFault.exe 3012 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription pid process Token: SeRestorePrivilege 412 WerFault.exe Token: SeBackupPrivilege 412 WerFault.exe Token: SeDebugPrivilege 412 WerFault.exe Token: SeDebugPrivilege 3608 WerFault.exe Token: SeDebugPrivilege 4040 WerFault.exe Token: SeDebugPrivilege 2904 WerFault.exe Token: SeDebugPrivilege 3012 WerFault.exe Token: SeDebugPrivilege 1532 WerFault.exe Token: SeDebugPrivilege 3568 WerFault.exe Token: SeDebugPrivilege 3864 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\83f234e0bcace527114b482b1dbacdd2.exe"C:\Users\Admin\AppData\Local\Temp\83f234e0bcace527114b482b1dbacdd2.exe"1⤵
- Checks processor information in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 508 -s 8202⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 508 -s 9242⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 508 -s 10442⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 508 -s 11002⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 508 -s 10202⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 508 -s 10122⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 508 -s 12202⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 508 -s 10082⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/412-2-0x0000000004D50000-0x0000000004D51000-memory.dmpFilesize
4KB
-
memory/412-3-0x0000000004D50000-0x0000000004D51000-memory.dmpFilesize
4KB
-
memory/508-1-0x0000000001310000-0x0000000001311000-memory.dmpFilesize
4KB
-
memory/508-0-0x0000000000F61000-0x0000000000F62000-memory.dmpFilesize
4KB
-
memory/1532-22-0x0000000004DE0000-0x0000000004DE1000-memory.dmpFilesize
4KB
-
memory/1532-25-0x0000000005410000-0x0000000005411000-memory.dmpFilesize
4KB
-
memory/2904-14-0x00000000044F0000-0x00000000044F1000-memory.dmpFilesize
4KB
-
memory/2904-17-0x0000000004930000-0x0000000004931000-memory.dmpFilesize
4KB
-
memory/3012-18-0x00000000049E0000-0x00000000049E1000-memory.dmpFilesize
4KB
-
memory/3012-21-0x0000000005110000-0x0000000005111000-memory.dmpFilesize
4KB
-
memory/3568-26-0x0000000004C70000-0x0000000004C71000-memory.dmpFilesize
4KB
-
memory/3568-29-0x00000000053A0000-0x00000000053A1000-memory.dmpFilesize
4KB
-
memory/3608-6-0x00000000044F0000-0x00000000044F1000-memory.dmpFilesize
4KB
-
memory/3864-30-0x00000000044F0000-0x00000000044F1000-memory.dmpFilesize
4KB
-
memory/3864-35-0x00000000044F0000-0x00000000044F1000-memory.dmpFilesize
4KB
-
memory/3864-36-0x0000000004C80000-0x0000000004C81000-memory.dmpFilesize
4KB
-
memory/4040-13-0x0000000004B20000-0x0000000004B21000-memory.dmpFilesize
4KB