Analysis
-
max time kernel
82s -
max time network
139s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
06-05-2021 03:03
Static task
static1
Behavioral task
behavioral1
Sample
e42ddb0cabb9a77219150f59ff4aa95f.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
e42ddb0cabb9a77219150f59ff4aa95f.exe
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
General
-
Target
e42ddb0cabb9a77219150f59ff4aa95f.exe
-
Size
830KB
-
MD5
e42ddb0cabb9a77219150f59ff4aa95f
-
SHA1
4f5e306cc8e24230915dc53f15efeefc5e9f0609
-
SHA256
f896070688915d517ec78e784f370089c15b012806dd3a3d33557e2bc3d44e2c
-
SHA512
2b5b5583d8db653881355afa774c51b06d1a21311148dc370af9f7ad2a1e3e69d36fc355eb1e1152bea649023632082488ea6246a1cf07024af572779ee33cff
Score
10/10
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 1664 created 2016 1664 WerFault.exe e42ddb0cabb9a77219150f59ff4aa95f.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 api.2ip.ua 12 api.2ip.ua -
Program crash 14 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3860 2016 WerFault.exe e42ddb0cabb9a77219150f59ff4aa95f.exe 2280 2016 WerFault.exe e42ddb0cabb9a77219150f59ff4aa95f.exe 200 2016 WerFault.exe e42ddb0cabb9a77219150f59ff4aa95f.exe 2920 2016 WerFault.exe e42ddb0cabb9a77219150f59ff4aa95f.exe 2184 2016 WerFault.exe e42ddb0cabb9a77219150f59ff4aa95f.exe 2208 2016 WerFault.exe e42ddb0cabb9a77219150f59ff4aa95f.exe 3300 2016 WerFault.exe e42ddb0cabb9a77219150f59ff4aa95f.exe 732 2016 WerFault.exe e42ddb0cabb9a77219150f59ff4aa95f.exe 1164 2016 WerFault.exe e42ddb0cabb9a77219150f59ff4aa95f.exe 2112 2016 WerFault.exe e42ddb0cabb9a77219150f59ff4aa95f.exe 2116 2016 WerFault.exe e42ddb0cabb9a77219150f59ff4aa95f.exe 3220 2016 WerFault.exe e42ddb0cabb9a77219150f59ff4aa95f.exe 1744 2016 WerFault.exe e42ddb0cabb9a77219150f59ff4aa95f.exe 1664 2016 WerFault.exe e42ddb0cabb9a77219150f59ff4aa95f.exe -
Processes:
e42ddb0cabb9a77219150f59ff4aa95f.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e e42ddb0cabb9a77219150f59ff4aa95f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 e42ddb0cabb9a77219150f59ff4aa95f.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid process 3860 WerFault.exe 3860 WerFault.exe 3860 WerFault.exe 3860 WerFault.exe 3860 WerFault.exe 3860 WerFault.exe 3860 WerFault.exe 3860 WerFault.exe 3860 WerFault.exe 3860 WerFault.exe 3860 WerFault.exe 3860 WerFault.exe 3860 WerFault.exe 3860 WerFault.exe 2280 WerFault.exe 2280 WerFault.exe 2280 WerFault.exe 2280 WerFault.exe 2280 WerFault.exe 2280 WerFault.exe 2280 WerFault.exe 2280 WerFault.exe 2280 WerFault.exe 2280 WerFault.exe 2280 WerFault.exe 2280 WerFault.exe 2280 WerFault.exe 2280 WerFault.exe 200 WerFault.exe 200 WerFault.exe 200 WerFault.exe 200 WerFault.exe 200 WerFault.exe 200 WerFault.exe 200 WerFault.exe 200 WerFault.exe 200 WerFault.exe 200 WerFault.exe 200 WerFault.exe 200 WerFault.exe 200 WerFault.exe 200 WerFault.exe 2920 WerFault.exe 2920 WerFault.exe 2920 WerFault.exe 2920 WerFault.exe 2920 WerFault.exe 2920 WerFault.exe 2920 WerFault.exe 2920 WerFault.exe 2920 WerFault.exe 2920 WerFault.exe 2920 WerFault.exe 2920 WerFault.exe 2920 WerFault.exe 2920 WerFault.exe 2184 WerFault.exe 2184 WerFault.exe 2184 WerFault.exe 2184 WerFault.exe 2184 WerFault.exe 2184 WerFault.exe 2184 WerFault.exe 2184 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription pid process Token: SeRestorePrivilege 3860 WerFault.exe Token: SeBackupPrivilege 3860 WerFault.exe Token: SeDebugPrivilege 3860 WerFault.exe Token: SeDebugPrivilege 2280 WerFault.exe Token: SeDebugPrivilege 200 WerFault.exe Token: SeDebugPrivilege 2920 WerFault.exe Token: SeDebugPrivilege 2184 WerFault.exe Token: SeDebugPrivilege 2208 WerFault.exe Token: SeDebugPrivilege 3300 WerFault.exe Token: SeDebugPrivilege 732 WerFault.exe Token: SeDebugPrivilege 1164 WerFault.exe Token: SeDebugPrivilege 2112 WerFault.exe Token: SeDebugPrivilege 2116 WerFault.exe Token: SeDebugPrivilege 3220 WerFault.exe Token: SeDebugPrivilege 1744 WerFault.exe Token: SeDebugPrivilege 1664 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e42ddb0cabb9a77219150f59ff4aa95f.exe"C:\Users\Admin\AppData\Local\Temp\e42ddb0cabb9a77219150f59ff4aa95f.exe"1⤵
- Modifies system certificate store
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 8722⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 8802⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 9362⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 11202⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 10882⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 11322⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 14442⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 16642⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 17002⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 18082⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 17642⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 17322⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 18162⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 8522⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken