27ac1959b9c2137b608a59a1cdfbad3d398941c92f590a1d92a9fbe004d27ef9

General

Target

5b6e0ad1b996da7f22e6c55d2338b53f.exe
Size

831KB
MD5

5b6e0ad1b996da7f22e6c55d2338b53f
SHA1

85e19f4fe4f6372e945526106532daa1b9eddb63
SHA256

27ac1959b9c2137b608a59a1cdfbad3d398941c92f590a1d92a9fbe004d27ef9
SHA512

7fa2e467bacb284985d1410e8c0cacb176bc5edfc425d93ff7ced7b44ae4fd3e1284289574da3c59427ed3f0aeeb22ff55909dcbbcf65da0a172c41297aabd60

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 2576 created 4808 2576 WerFault.exe 5b6e0ad1b996da7f22e6c55d2338b53f.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

12 api.2ip.ua
11 api.2ip.ua

description	pid	process	target process
PID 2576 created 4808	2576	WerFault.exe	5b6e0ad1b996da7f22e6c55d2338b53f.exe

flow	ioc
12	api.2ip.ua
11	api.2ip.ua

Program crash 14 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4196	4808	WerFault.exe	5b6e0ad1b996da7f22e6c55d2338b53f.exe
4352	4808	WerFault.exe	5b6e0ad1b996da7f22e6c55d2338b53f.exe
424	4808	WerFault.exe	5b6e0ad1b996da7f22e6c55d2338b53f.exe
812	4808	WerFault.exe	5b6e0ad1b996da7f22e6c55d2338b53f.exe
396	4808	WerFault.exe	5b6e0ad1b996da7f22e6c55d2338b53f.exe
1032	4808	WerFault.exe	5b6e0ad1b996da7f22e6c55d2338b53f.exe
1152	4808	WerFault.exe	5b6e0ad1b996da7f22e6c55d2338b53f.exe
1360	4808	WerFault.exe	5b6e0ad1b996da7f22e6c55d2338b53f.exe
1512	4808	WerFault.exe	5b6e0ad1b996da7f22e6c55d2338b53f.exe
1804	4808	WerFault.exe	5b6e0ad1b996da7f22e6c55d2338b53f.exe
1988	4808	WerFault.exe	5b6e0ad1b996da7f22e6c55d2338b53f.exe
2168	4808	WerFault.exe	5b6e0ad1b996da7f22e6c55d2338b53f.exe
3104	4808	WerFault.exe	5b6e0ad1b996da7f22e6c55d2338b53f.exe
2576	4808	WerFault.exe	5b6e0ad1b996da7f22e6c55d2338b53f.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

5b6e0ad1b996da7f22e6c55d2338b53f.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	5b6e0ad1b996da7f22e6c55d2338b53f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	5b6e0ad1b996da7f22e6c55d2338b53f.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	process
4196	WerFault.exe
4196	WerFault.exe
4196	WerFault.exe
4196	WerFault.exe
4196	WerFault.exe
4196	WerFault.exe
4196	WerFault.exe
4196	WerFault.exe
4196	WerFault.exe
4196	WerFault.exe
4196	WerFault.exe
4196	WerFault.exe
4196	WerFault.exe
4196	WerFault.exe
4196	WerFault.exe
4352	WerFault.exe
4352	WerFault.exe
4352	WerFault.exe
4352	WerFault.exe
4352	WerFault.exe
4352	WerFault.exe
4352	WerFault.exe
4352	WerFault.exe
4352	WerFault.exe
4352	WerFault.exe
4352	WerFault.exe
4352	WerFault.exe
4352	WerFault.exe
4352	WerFault.exe
424	WerFault.exe
424	WerFault.exe
424	WerFault.exe
424	WerFault.exe
424	WerFault.exe
424	WerFault.exe
424	WerFault.exe
424	WerFault.exe
424	WerFault.exe
424	WerFault.exe
424	WerFault.exe
424	WerFault.exe
424	WerFault.exe
424	WerFault.exe
812	WerFault.exe
812	WerFault.exe
812	WerFault.exe
812	WerFault.exe
812	WerFault.exe
812	WerFault.exe
812	WerFault.exe
812	WerFault.exe
812	WerFault.exe
812	WerFault.exe
812	WerFault.exe
812	WerFault.exe
812	WerFault.exe
812	WerFault.exe
396	WerFault.exe
396	WerFault.exe
396	WerFault.exe
396	WerFault.exe
396	WerFault.exe
396	WerFault.exe
396	WerFault.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process
Token: SeRestorePrivilege	4196	WerFault.exe
Token: SeBackupPrivilege	4196	WerFault.exe
Token: SeDebugPrivilege	4196	WerFault.exe
Token: SeDebugPrivilege	4352	WerFault.exe
Token: SeDebugPrivilege	424	WerFault.exe
Token: SeDebugPrivilege	812	WerFault.exe
Token: SeDebugPrivilege	396	WerFault.exe
Token: SeDebugPrivilege	1032	WerFault.exe
Token: SeDebugPrivilege	1152	WerFault.exe
Token: SeDebugPrivilege	1360	WerFault.exe
Token: SeDebugPrivilege	1512	WerFault.exe
Token: SeDebugPrivilege	1804	WerFault.exe
Token: SeDebugPrivilege	1988	WerFault.exe
Token: SeDebugPrivilege	2168	WerFault.exe
Token: SeDebugPrivilege	3104	WerFault.exe
Token: SeDebugPrivilege	2576	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\5b6e0ad1b996da7f22e6c55d2338b53f.exe
"C:\Users\Admin\AppData\Local\Temp\5b6e0ad1b996da7f22e6c55d2338b53f.exe"
1⤵
- Modifies system certificate store
PID:4808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 868
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 888
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 916
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 1040
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 1132
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 1140
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 1460
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 1684
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 1660
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 1700
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 1416
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 1456
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 1680
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 1748
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2576

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4808-114-0x0000000002310000-0x000000000242A000-memory.dmp

Filesize
1.1MB

Download
memory/4808-115-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads