f896070688915d517ec78e784f370089c15b012806dd3a3d33557e2bc3d44e2c

General

Target

e42ddb0cabb9a77219150f59ff4aa95f.exe
Size

830KB
MD5

e42ddb0cabb9a77219150f59ff4aa95f
SHA1

4f5e306cc8e24230915dc53f15efeefc5e9f0609
SHA256

f896070688915d517ec78e784f370089c15b012806dd3a3d33557e2bc3d44e2c
SHA512

2b5b5583d8db653881355afa774c51b06d1a21311148dc370af9f7ad2a1e3e69d36fc355eb1e1152bea649023632082488ea6246a1cf07024af572779ee33cff

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 1664 created 2016 1664 WerFault.exe e42ddb0cabb9a77219150f59ff4aa95f.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 api.2ip.ua
12 api.2ip.ua

description	pid	process	target process
PID 1664 created 2016	1664	WerFault.exe	e42ddb0cabb9a77219150f59ff4aa95f.exe

flow	ioc
11	api.2ip.ua
12	api.2ip.ua

Program crash 14 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3860	2016	WerFault.exe	e42ddb0cabb9a77219150f59ff4aa95f.exe
2280	2016	WerFault.exe	e42ddb0cabb9a77219150f59ff4aa95f.exe
200	2016	WerFault.exe	e42ddb0cabb9a77219150f59ff4aa95f.exe
2920	2016	WerFault.exe	e42ddb0cabb9a77219150f59ff4aa95f.exe
2184	2016	WerFault.exe	e42ddb0cabb9a77219150f59ff4aa95f.exe
2208	2016	WerFault.exe	e42ddb0cabb9a77219150f59ff4aa95f.exe
3300	2016	WerFault.exe	e42ddb0cabb9a77219150f59ff4aa95f.exe
732	2016	WerFault.exe	e42ddb0cabb9a77219150f59ff4aa95f.exe
1164	2016	WerFault.exe	e42ddb0cabb9a77219150f59ff4aa95f.exe
2112	2016	WerFault.exe	e42ddb0cabb9a77219150f59ff4aa95f.exe
2116	2016	WerFault.exe	e42ddb0cabb9a77219150f59ff4aa95f.exe
3220	2016	WerFault.exe	e42ddb0cabb9a77219150f59ff4aa95f.exe
1744	2016	WerFault.exe	e42ddb0cabb9a77219150f59ff4aa95f.exe
1664	2016	WerFault.exe	e42ddb0cabb9a77219150f59ff4aa95f.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

e42ddb0cabb9a77219150f59ff4aa95f.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	e42ddb0cabb9a77219150f59ff4aa95f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	e42ddb0cabb9a77219150f59ff4aa95f.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	process
3860	WerFault.exe
3860	WerFault.exe
3860	WerFault.exe
3860	WerFault.exe
3860	WerFault.exe
3860	WerFault.exe
3860	WerFault.exe
3860	WerFault.exe
3860	WerFault.exe
3860	WerFault.exe
3860	WerFault.exe
3860	WerFault.exe
3860	WerFault.exe
3860	WerFault.exe
2280	WerFault.exe
2280	WerFault.exe
2280	WerFault.exe
2280	WerFault.exe
2280	WerFault.exe
2280	WerFault.exe
2280	WerFault.exe
2280	WerFault.exe
2280	WerFault.exe
2280	WerFault.exe
2280	WerFault.exe
2280	WerFault.exe
2280	WerFault.exe
2280	WerFault.exe
200	WerFault.exe
200	WerFault.exe
200	WerFault.exe
200	WerFault.exe
200	WerFault.exe
200	WerFault.exe
200	WerFault.exe
200	WerFault.exe
200	WerFault.exe
200	WerFault.exe
200	WerFault.exe
200	WerFault.exe
200	WerFault.exe
200	WerFault.exe
2920	WerFault.exe
2920	WerFault.exe
2920	WerFault.exe
2920	WerFault.exe
2920	WerFault.exe
2920	WerFault.exe
2920	WerFault.exe
2920	WerFault.exe
2920	WerFault.exe
2920	WerFault.exe
2920	WerFault.exe
2920	WerFault.exe
2920	WerFault.exe
2920	WerFault.exe
2184	WerFault.exe
2184	WerFault.exe
2184	WerFault.exe
2184	WerFault.exe
2184	WerFault.exe
2184	WerFault.exe
2184	WerFault.exe
2184	WerFault.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process
Token: SeRestorePrivilege	3860	WerFault.exe
Token: SeBackupPrivilege	3860	WerFault.exe
Token: SeDebugPrivilege	3860	WerFault.exe
Token: SeDebugPrivilege	2280	WerFault.exe
Token: SeDebugPrivilege	200	WerFault.exe
Token: SeDebugPrivilege	2920	WerFault.exe
Token: SeDebugPrivilege	2184	WerFault.exe
Token: SeDebugPrivilege	2208	WerFault.exe
Token: SeDebugPrivilege	3300	WerFault.exe
Token: SeDebugPrivilege	732	WerFault.exe
Token: SeDebugPrivilege	1164	WerFault.exe
Token: SeDebugPrivilege	2112	WerFault.exe
Token: SeDebugPrivilege	2116	WerFault.exe
Token: SeDebugPrivilege	3220	WerFault.exe
Token: SeDebugPrivilege	1744	WerFault.exe
Token: SeDebugPrivilege	1664	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\e42ddb0cabb9a77219150f59ff4aa95f.exe
"C:\Users\Admin\AppData\Local\Temp\e42ddb0cabb9a77219150f59ff4aa95f.exe"
1⤵
- Modifies system certificate store
PID:2016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 872
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 880
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 936
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 1120
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 1088
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 1132
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 1444
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 1664
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 1700
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 1808
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 1764
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 1732
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 1816
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 852
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1664

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2016-114-0x0000000002260000-0x000000000237A000-memory.dmp

Filesize
1.1MB

Download
memory/2016-115-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads