6e8dafc9ac2e48e6b42dd15ce4c49d0dc0a83e6ca93fafeec8b87244ec05dea0

General

Target

e00d79d79815ef47cf0d5ec5f3e76656.exe
Size

830KB
MD5

e00d79d79815ef47cf0d5ec5f3e76656
SHA1

79efabc933ddf9406da1a761d60bfe453a930a06
SHA256

6e8dafc9ac2e48e6b42dd15ce4c49d0dc0a83e6ca93fafeec8b87244ec05dea0
SHA512

ce6983ff7ec3e3dd0ccb53ce93e8a3f8164da2d919defdf44d5ef6f7faab6ace375a58846e29836743018a8a9ff8917fc05e9d277b2aeead577b9aad33b20652

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 3500 created 3772 3500 WerFault.exe e00d79d79815ef47cf0d5ec5f3e76656.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 api.2ip.ua
8 api.2ip.ua

description	pid	process	target process
PID 3500 created 3772	3500	WerFault.exe	e00d79d79815ef47cf0d5ec5f3e76656.exe

flow	ioc
9	api.2ip.ua
8	api.2ip.ua

Program crash 14 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1780	3772	WerFault.exe	e00d79d79815ef47cf0d5ec5f3e76656.exe
2192	3772	WerFault.exe	e00d79d79815ef47cf0d5ec5f3e76656.exe
2400	3772	WerFault.exe	e00d79d79815ef47cf0d5ec5f3e76656.exe
2700	3772	WerFault.exe	e00d79d79815ef47cf0d5ec5f3e76656.exe
2732	3772	WerFault.exe	e00d79d79815ef47cf0d5ec5f3e76656.exe
1820	3772	WerFault.exe	e00d79d79815ef47cf0d5ec5f3e76656.exe
1824	3772	WerFault.exe	e00d79d79815ef47cf0d5ec5f3e76656.exe
2940	3772	WerFault.exe	e00d79d79815ef47cf0d5ec5f3e76656.exe
4004	3772	WerFault.exe	e00d79d79815ef47cf0d5ec5f3e76656.exe
1160	3772	WerFault.exe	e00d79d79815ef47cf0d5ec5f3e76656.exe
2236	3772	WerFault.exe	e00d79d79815ef47cf0d5ec5f3e76656.exe
776	3772	WerFault.exe	e00d79d79815ef47cf0d5ec5f3e76656.exe
3916	3772	WerFault.exe	e00d79d79815ef47cf0d5ec5f3e76656.exe
3500	3772	WerFault.exe	e00d79d79815ef47cf0d5ec5f3e76656.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

e00d79d79815ef47cf0d5ec5f3e76656.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	e00d79d79815ef47cf0d5ec5f3e76656.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	e00d79d79815ef47cf0d5ec5f3e76656.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	process
1780	WerFault.exe
1780	WerFault.exe
1780	WerFault.exe
1780	WerFault.exe
1780	WerFault.exe
1780	WerFault.exe
1780	WerFault.exe
1780	WerFault.exe
1780	WerFault.exe
1780	WerFault.exe
1780	WerFault.exe
1780	WerFault.exe
1780	WerFault.exe
1780	WerFault.exe
2192	WerFault.exe
2192	WerFault.exe
2192	WerFault.exe
2192	WerFault.exe
2192	WerFault.exe
2192	WerFault.exe
2192	WerFault.exe
2192	WerFault.exe
2192	WerFault.exe
2192	WerFault.exe
2192	WerFault.exe
2192	WerFault.exe
2192	WerFault.exe
2192	WerFault.exe
2400	WerFault.exe
2400	WerFault.exe
2400	WerFault.exe
2400	WerFault.exe
2400	WerFault.exe
2400	WerFault.exe
2400	WerFault.exe
2400	WerFault.exe
2400	WerFault.exe
2400	WerFault.exe
2400	WerFault.exe
2400	WerFault.exe
2400	WerFault.exe
2400	WerFault.exe
2700	WerFault.exe
2700	WerFault.exe
2700	WerFault.exe
2700	WerFault.exe
2700	WerFault.exe
2700	WerFault.exe
2700	WerFault.exe
2700	WerFault.exe
2700	WerFault.exe
2700	WerFault.exe
2700	WerFault.exe
2700	WerFault.exe
2700	WerFault.exe
2700	WerFault.exe
2732	WerFault.exe
2732	WerFault.exe
2732	WerFault.exe
2732	WerFault.exe
2732	WerFault.exe
2732	WerFault.exe
2732	WerFault.exe
2732	WerFault.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process
Token: SeRestorePrivilege	1780	WerFault.exe
Token: SeBackupPrivilege	1780	WerFault.exe
Token: SeDebugPrivilege	1780	WerFault.exe
Token: SeDebugPrivilege	2192	WerFault.exe
Token: SeDebugPrivilege	2400	WerFault.exe
Token: SeDebugPrivilege	2700	WerFault.exe
Token: SeDebugPrivilege	2732	WerFault.exe
Token: SeDebugPrivilege	1820	WerFault.exe
Token: SeDebugPrivilege	1824	WerFault.exe
Token: SeDebugPrivilege	2940	WerFault.exe
Token: SeDebugPrivilege	4004	WerFault.exe
Token: SeDebugPrivilege	1160	WerFault.exe
Token: SeDebugPrivilege	2236	WerFault.exe
Token: SeDebugPrivilege	776	WerFault.exe
Token: SeDebugPrivilege	3916	WerFault.exe
Token: SeDebugPrivilege	3500	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\e00d79d79815ef47cf0d5ec5f3e76656.exe
"C:\Users\Admin\AppData\Local\Temp\e00d79d79815ef47cf0d5ec5f3e76656.exe"
1⤵
- Modifies system certificate store
PID:3772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3772 -s 868
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3772 -s 820
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3772 -s 932
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3772 -s 1116
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3772 -s 1080
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3772 -s 1128
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3772 -s 1440
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3772 -s 1668
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3772 -s 1428
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3772 -s 1716
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3772 -s 1464
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3772 -s 1584
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3772 -s 1764
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3772 -s 852
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3500

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3772-114-0x0000000002270000-0x000000000238A000-memory.dmp

Filesize
1.1MB

Download
memory/3772-115-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads