Analysis
-
max time kernel
71s -
max time network
131s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
06-05-2021 07:02
Static task
static1
Behavioral task
behavioral1
Sample
5b6e0ad1b996da7f22e6c55d2338b53f.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
5b6e0ad1b996da7f22e6c55d2338b53f.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
5b6e0ad1b996da7f22e6c55d2338b53f.exe
-
Size
831KB
-
MD5
5b6e0ad1b996da7f22e6c55d2338b53f
-
SHA1
85e19f4fe4f6372e945526106532daa1b9eddb63
-
SHA256
27ac1959b9c2137b608a59a1cdfbad3d398941c92f590a1d92a9fbe004d27ef9
-
SHA512
7fa2e467bacb284985d1410e8c0cacb176bc5edfc425d93ff7ced7b44ae4fd3e1284289574da3c59427ed3f0aeeb22ff55909dcbbcf65da0a172c41297aabd60
Score
10/10
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 2576 created 4808 2576 WerFault.exe 5b6e0ad1b996da7f22e6c55d2338b53f.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 12 api.2ip.ua 11 api.2ip.ua -
Program crash 14 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4196 4808 WerFault.exe 5b6e0ad1b996da7f22e6c55d2338b53f.exe 4352 4808 WerFault.exe 5b6e0ad1b996da7f22e6c55d2338b53f.exe 424 4808 WerFault.exe 5b6e0ad1b996da7f22e6c55d2338b53f.exe 812 4808 WerFault.exe 5b6e0ad1b996da7f22e6c55d2338b53f.exe 396 4808 WerFault.exe 5b6e0ad1b996da7f22e6c55d2338b53f.exe 1032 4808 WerFault.exe 5b6e0ad1b996da7f22e6c55d2338b53f.exe 1152 4808 WerFault.exe 5b6e0ad1b996da7f22e6c55d2338b53f.exe 1360 4808 WerFault.exe 5b6e0ad1b996da7f22e6c55d2338b53f.exe 1512 4808 WerFault.exe 5b6e0ad1b996da7f22e6c55d2338b53f.exe 1804 4808 WerFault.exe 5b6e0ad1b996da7f22e6c55d2338b53f.exe 1988 4808 WerFault.exe 5b6e0ad1b996da7f22e6c55d2338b53f.exe 2168 4808 WerFault.exe 5b6e0ad1b996da7f22e6c55d2338b53f.exe 3104 4808 WerFault.exe 5b6e0ad1b996da7f22e6c55d2338b53f.exe 2576 4808 WerFault.exe 5b6e0ad1b996da7f22e6c55d2338b53f.exe -
Processes:
5b6e0ad1b996da7f22e6c55d2338b53f.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 5b6e0ad1b996da7f22e6c55d2338b53f.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 5b6e0ad1b996da7f22e6c55d2338b53f.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid process 4196 WerFault.exe 4196 WerFault.exe 4196 WerFault.exe 4196 WerFault.exe 4196 WerFault.exe 4196 WerFault.exe 4196 WerFault.exe 4196 WerFault.exe 4196 WerFault.exe 4196 WerFault.exe 4196 WerFault.exe 4196 WerFault.exe 4196 WerFault.exe 4196 WerFault.exe 4196 WerFault.exe 4352 WerFault.exe 4352 WerFault.exe 4352 WerFault.exe 4352 WerFault.exe 4352 WerFault.exe 4352 WerFault.exe 4352 WerFault.exe 4352 WerFault.exe 4352 WerFault.exe 4352 WerFault.exe 4352 WerFault.exe 4352 WerFault.exe 4352 WerFault.exe 4352 WerFault.exe 424 WerFault.exe 424 WerFault.exe 424 WerFault.exe 424 WerFault.exe 424 WerFault.exe 424 WerFault.exe 424 WerFault.exe 424 WerFault.exe 424 WerFault.exe 424 WerFault.exe 424 WerFault.exe 424 WerFault.exe 424 WerFault.exe 424 WerFault.exe 812 WerFault.exe 812 WerFault.exe 812 WerFault.exe 812 WerFault.exe 812 WerFault.exe 812 WerFault.exe 812 WerFault.exe 812 WerFault.exe 812 WerFault.exe 812 WerFault.exe 812 WerFault.exe 812 WerFault.exe 812 WerFault.exe 812 WerFault.exe 396 WerFault.exe 396 WerFault.exe 396 WerFault.exe 396 WerFault.exe 396 WerFault.exe 396 WerFault.exe 396 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription pid process Token: SeRestorePrivilege 4196 WerFault.exe Token: SeBackupPrivilege 4196 WerFault.exe Token: SeDebugPrivilege 4196 WerFault.exe Token: SeDebugPrivilege 4352 WerFault.exe Token: SeDebugPrivilege 424 WerFault.exe Token: SeDebugPrivilege 812 WerFault.exe Token: SeDebugPrivilege 396 WerFault.exe Token: SeDebugPrivilege 1032 WerFault.exe Token: SeDebugPrivilege 1152 WerFault.exe Token: SeDebugPrivilege 1360 WerFault.exe Token: SeDebugPrivilege 1512 WerFault.exe Token: SeDebugPrivilege 1804 WerFault.exe Token: SeDebugPrivilege 1988 WerFault.exe Token: SeDebugPrivilege 2168 WerFault.exe Token: SeDebugPrivilege 3104 WerFault.exe Token: SeDebugPrivilege 2576 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b6e0ad1b996da7f22e6c55d2338b53f.exe"C:\Users\Admin\AppData\Local\Temp\5b6e0ad1b996da7f22e6c55d2338b53f.exe"1⤵
- Modifies system certificate store
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 8682⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 8882⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 9162⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 10402⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 11322⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 11402⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 14602⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 16842⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 16602⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 17002⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 14162⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 14562⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 16802⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 17482⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken