Analysis
-
max time kernel
60s -
max time network
126s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
08-04-2021 22:36
Static task
static1
Behavioral task
behavioral1
Sample
f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exe
Resource
win7v20201028
General
-
Target
f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exe
-
Size
324KB
-
MD5
bda20d0177640d129ace7394841fe5c0
-
SHA1
3c8c531a28901ce5f3a6eb9b5ac1c353bfc73f87
-
SHA256
f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7
-
SHA512
bfaedf705c5bdb3b8b4aa63b18a20e9336ee77999e3637f3677f3aa1623270e5b9dbb62bcd1d1b338979c391cb38d4b127544120804ac42e1c515b0776d02e9e
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 3284 created 4696 3284 WerFault.exe f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exe -
Loads dropped DLL 1 IoCs
Processes:
f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exepid process 4696 f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3284 4696 WerFault.exe f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exeWerFault.exepid process 4696 f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exe 4696 f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exe 4696 f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exe 4696 f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exe 4696 f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exe 3284 WerFault.exe 3284 WerFault.exe 3284 WerFault.exe 3284 WerFault.exe 3284 WerFault.exe 3284 WerFault.exe 3284 WerFault.exe 3284 WerFault.exe 3284 WerFault.exe 3284 WerFault.exe 3284 WerFault.exe 3284 WerFault.exe 3284 WerFault.exe 3284 WerFault.exe 3284 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exeWerFault.exedescription pid process Token: SeDebugPrivilege 4696 f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exe Token: SeRestorePrivilege 3284 WerFault.exe Token: SeBackupPrivilege 3284 WerFault.exe Token: SeDebugPrivilege 3284 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exe"C:\Users\Admin\AppData\Local\Temp\f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 13602⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\10d99b49-052f-4ada-adab-4c003fc333e5\AgileDotNetRT.dllMD5
edd74be9723cdc6a5692954f0e51c9f3
SHA1e9fb66ceee1ba4ce7e5b8271b3e1ed7cb9acf686
SHA25655ff1e0a4e5866d565ceeb9baafac73fdcb4464160fc6c78104d935009935cd7
SHA51280abecdd07f364283f216d8f4d90a4da3efd4561900631fce05c2916afeb1b5bbce23ae92d57430b7b2b06c172b2ad701b2ab75b6dfd2a861abcf7edc38462f3
-
memory/4696-114-0x00000000002B0000-0x00000000002B1000-memory.dmpFilesize
4KB
-
memory/4696-117-0x0000000072A90000-0x0000000072B10000-memory.dmpFilesize
512KB
-
memory/4696-118-0x0000000004DA0000-0x0000000004DA1000-memory.dmpFilesize
4KB
-
memory/4696-119-0x0000000005310000-0x0000000005311000-memory.dmpFilesize
4KB
-
memory/4696-120-0x0000000004B90000-0x0000000004B91000-memory.dmpFilesize
4KB
-
memory/4696-121-0x0000000004B93000-0x0000000004B95000-memory.dmpFilesize
8KB
-
memory/4696-122-0x0000000005D70000-0x0000000005D71000-memory.dmpFilesize
4KB
-
memory/4696-123-0x0000000004B95000-0x0000000004B96000-memory.dmpFilesize
4KB
-
memory/4696-124-0x0000000004B96000-0x0000000004B97000-memory.dmpFilesize
4KB