Analysis
-
max time kernel
64s -
max time network
125s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
06-05-2021 02:21
Static task
static1
Behavioral task
behavioral1
Sample
e00d79d79815ef47cf0d5ec5f3e76656.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
e00d79d79815ef47cf0d5ec5f3e76656.exe
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
General
-
Target
e00d79d79815ef47cf0d5ec5f3e76656.exe
-
Size
830KB
-
MD5
e00d79d79815ef47cf0d5ec5f3e76656
-
SHA1
79efabc933ddf9406da1a761d60bfe453a930a06
-
SHA256
6e8dafc9ac2e48e6b42dd15ce4c49d0dc0a83e6ca93fafeec8b87244ec05dea0
-
SHA512
ce6983ff7ec3e3dd0ccb53ce93e8a3f8164da2d919defdf44d5ef6f7faab6ace375a58846e29836743018a8a9ff8917fc05e9d277b2aeead577b9aad33b20652
Score
10/10
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 3500 created 3772 3500 WerFault.exe e00d79d79815ef47cf0d5ec5f3e76656.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 api.2ip.ua 8 api.2ip.ua -
Program crash 14 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 1780 3772 WerFault.exe e00d79d79815ef47cf0d5ec5f3e76656.exe 2192 3772 WerFault.exe e00d79d79815ef47cf0d5ec5f3e76656.exe 2400 3772 WerFault.exe e00d79d79815ef47cf0d5ec5f3e76656.exe 2700 3772 WerFault.exe e00d79d79815ef47cf0d5ec5f3e76656.exe 2732 3772 WerFault.exe e00d79d79815ef47cf0d5ec5f3e76656.exe 1820 3772 WerFault.exe e00d79d79815ef47cf0d5ec5f3e76656.exe 1824 3772 WerFault.exe e00d79d79815ef47cf0d5ec5f3e76656.exe 2940 3772 WerFault.exe e00d79d79815ef47cf0d5ec5f3e76656.exe 4004 3772 WerFault.exe e00d79d79815ef47cf0d5ec5f3e76656.exe 1160 3772 WerFault.exe e00d79d79815ef47cf0d5ec5f3e76656.exe 2236 3772 WerFault.exe e00d79d79815ef47cf0d5ec5f3e76656.exe 776 3772 WerFault.exe e00d79d79815ef47cf0d5ec5f3e76656.exe 3916 3772 WerFault.exe e00d79d79815ef47cf0d5ec5f3e76656.exe 3500 3772 WerFault.exe e00d79d79815ef47cf0d5ec5f3e76656.exe -
Processes:
e00d79d79815ef47cf0d5ec5f3e76656.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 e00d79d79815ef47cf0d5ec5f3e76656.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e e00d79d79815ef47cf0d5ec5f3e76656.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid process 1780 WerFault.exe 1780 WerFault.exe 1780 WerFault.exe 1780 WerFault.exe 1780 WerFault.exe 1780 WerFault.exe 1780 WerFault.exe 1780 WerFault.exe 1780 WerFault.exe 1780 WerFault.exe 1780 WerFault.exe 1780 WerFault.exe 1780 WerFault.exe 1780 WerFault.exe 2192 WerFault.exe 2192 WerFault.exe 2192 WerFault.exe 2192 WerFault.exe 2192 WerFault.exe 2192 WerFault.exe 2192 WerFault.exe 2192 WerFault.exe 2192 WerFault.exe 2192 WerFault.exe 2192 WerFault.exe 2192 WerFault.exe 2192 WerFault.exe 2192 WerFault.exe 2400 WerFault.exe 2400 WerFault.exe 2400 WerFault.exe 2400 WerFault.exe 2400 WerFault.exe 2400 WerFault.exe 2400 WerFault.exe 2400 WerFault.exe 2400 WerFault.exe 2400 WerFault.exe 2400 WerFault.exe 2400 WerFault.exe 2400 WerFault.exe 2400 WerFault.exe 2700 WerFault.exe 2700 WerFault.exe 2700 WerFault.exe 2700 WerFault.exe 2700 WerFault.exe 2700 WerFault.exe 2700 WerFault.exe 2700 WerFault.exe 2700 WerFault.exe 2700 WerFault.exe 2700 WerFault.exe 2700 WerFault.exe 2700 WerFault.exe 2700 WerFault.exe 2732 WerFault.exe 2732 WerFault.exe 2732 WerFault.exe 2732 WerFault.exe 2732 WerFault.exe 2732 WerFault.exe 2732 WerFault.exe 2732 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription pid process Token: SeRestorePrivilege 1780 WerFault.exe Token: SeBackupPrivilege 1780 WerFault.exe Token: SeDebugPrivilege 1780 WerFault.exe Token: SeDebugPrivilege 2192 WerFault.exe Token: SeDebugPrivilege 2400 WerFault.exe Token: SeDebugPrivilege 2700 WerFault.exe Token: SeDebugPrivilege 2732 WerFault.exe Token: SeDebugPrivilege 1820 WerFault.exe Token: SeDebugPrivilege 1824 WerFault.exe Token: SeDebugPrivilege 2940 WerFault.exe Token: SeDebugPrivilege 4004 WerFault.exe Token: SeDebugPrivilege 1160 WerFault.exe Token: SeDebugPrivilege 2236 WerFault.exe Token: SeDebugPrivilege 776 WerFault.exe Token: SeDebugPrivilege 3916 WerFault.exe Token: SeDebugPrivilege 3500 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e00d79d79815ef47cf0d5ec5f3e76656.exe"C:\Users\Admin\AppData\Local\Temp\e00d79d79815ef47cf0d5ec5f3e76656.exe"1⤵
- Modifies system certificate store
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3772 -s 8682⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3772 -s 8202⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3772 -s 9322⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3772 -s 11162⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3772 -s 10802⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3772 -s 11282⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3772 -s 14402⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3772 -s 16682⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3772 -s 14282⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3772 -s 17162⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3772 -s 14642⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3772 -s 15842⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3772 -s 17642⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3772 -s 8522⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken