Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
17-11-2020 12:29
Static task
static1
Behavioral task
behavioral1
Sample
9ae5b3d8924d251ed4799a1223da2aac.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
9ae5b3d8924d251ed4799a1223da2aac.exe
-
Size
514KB
-
MD5
f419548a046f3238df9d95d40e3a8fdd
-
SHA1
76fda035703781cfe5f785b8f230e7db6eef2abf
-
SHA256
86c1ba04c2400da557124c31d3366eb792080a254e6166e7a426a27b0cd16693
-
SHA512
cca8b94d53abde68c7fcf83fa246674cea3c607e65164d59824ec940b720560c33574c1e2e40c811667f9c685d61017eb27ca03bf671a159c4d8066ccf12f36d
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1636 1056 WerFault.exe 9ae5b3d8924d251ed4799a1223da2aac.exe -
Processes:
9ae5b3d8924d251ed4799a1223da2aac.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 9ae5b3d8924d251ed4799a1223da2aac.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 9ae5b3d8924d251ed4799a1223da2aac.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 1636 WerFault.exe 1636 WerFault.exe 1636 WerFault.exe 1636 WerFault.exe 1636 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1636 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
9ae5b3d8924d251ed4799a1223da2aac.exedescription pid process target process PID 1056 wrote to memory of 1636 1056 9ae5b3d8924d251ed4799a1223da2aac.exe WerFault.exe PID 1056 wrote to memory of 1636 1056 9ae5b3d8924d251ed4799a1223da2aac.exe WerFault.exe PID 1056 wrote to memory of 1636 1056 9ae5b3d8924d251ed4799a1223da2aac.exe WerFault.exe PID 1056 wrote to memory of 1636 1056 9ae5b3d8924d251ed4799a1223da2aac.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9ae5b3d8924d251ed4799a1223da2aac.exe"C:\Users\Admin\AppData\Local\Temp\9ae5b3d8924d251ed4799a1223da2aac.exe"1⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 9282⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1056-0-0x00000000024B7000-0x00000000024B8000-memory.dmpFilesize
4KB
-
memory/1056-1-0x0000000003E30000-0x0000000003E41000-memory.dmpFilesize
68KB
-
memory/1636-2-0x0000000000000000-mapping.dmp
-
memory/1636-3-0x0000000002280000-0x0000000002291000-memory.dmpFilesize
68KB
-
memory/1636-4-0x0000000002280000-0x0000000002291000-memory.dmpFilesize
68KB
-
memory/1636-6-0x0000000002810000-0x0000000002821000-memory.dmpFilesize
68KB