f896070688915d517ec78e784f370089c15b012806dd3a3d33557e2bc3d44e2c

General

Target

e42ddb0cabb9a77219150f59ff4aa95f.exe
Size

830KB
MD5

e42ddb0cabb9a77219150f59ff4aa95f
SHA1

4f5e306cc8e24230915dc53f15efeefc5e9f0609
SHA256

f896070688915d517ec78e784f370089c15b012806dd3a3d33557e2bc3d44e2c
SHA512

2b5b5583d8db653881355afa774c51b06d1a21311148dc370af9f7ad2a1e3e69d36fc355eb1e1152bea649023632082488ea6246a1cf07024af572779ee33cff

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 2772 created 3456 2772 WerFault.exe e42ddb0cabb9a77219150f59ff4aa95f.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 api.2ip.ua
11 api.2ip.ua

description	pid	process	target process
PID 2772 created 3456	2772	WerFault.exe	e42ddb0cabb9a77219150f59ff4aa95f.exe

flow	ioc
9	api.2ip.ua
11	api.2ip.ua

Program crash 14 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2732	3456	WerFault.exe	e42ddb0cabb9a77219150f59ff4aa95f.exe
1956	3456	WerFault.exe	e42ddb0cabb9a77219150f59ff4aa95f.exe
2684	3456	WerFault.exe	e42ddb0cabb9a77219150f59ff4aa95f.exe
2788	3456	WerFault.exe	e42ddb0cabb9a77219150f59ff4aa95f.exe
936	3456	WerFault.exe	e42ddb0cabb9a77219150f59ff4aa95f.exe
3736	3456	WerFault.exe	e42ddb0cabb9a77219150f59ff4aa95f.exe
3856	3456	WerFault.exe	e42ddb0cabb9a77219150f59ff4aa95f.exe
1900	3456	WerFault.exe	e42ddb0cabb9a77219150f59ff4aa95f.exe
3996	3456	WerFault.exe	e42ddb0cabb9a77219150f59ff4aa95f.exe
3976	3456	WerFault.exe	e42ddb0cabb9a77219150f59ff4aa95f.exe
3160	3456	WerFault.exe	e42ddb0cabb9a77219150f59ff4aa95f.exe
3728	3456	WerFault.exe	e42ddb0cabb9a77219150f59ff4aa95f.exe
2676	3456	WerFault.exe	e42ddb0cabb9a77219150f59ff4aa95f.exe
2772	3456	WerFault.exe	e42ddb0cabb9a77219150f59ff4aa95f.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

e42ddb0cabb9a77219150f59ff4aa95f.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	e42ddb0cabb9a77219150f59ff4aa95f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	e42ddb0cabb9a77219150f59ff4aa95f.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	process
2732	WerFault.exe
2732	WerFault.exe
2732	WerFault.exe
2732	WerFault.exe
2732	WerFault.exe
2732	WerFault.exe
2732	WerFault.exe
2732	WerFault.exe
2732	WerFault.exe
2732	WerFault.exe
2732	WerFault.exe
2732	WerFault.exe
2732	WerFault.exe
2732	WerFault.exe
1956	WerFault.exe
1956	WerFault.exe
1956	WerFault.exe
1956	WerFault.exe
1956	WerFault.exe
1956	WerFault.exe
1956	WerFault.exe
1956	WerFault.exe
1956	WerFault.exe
1956	WerFault.exe
1956	WerFault.exe
1956	WerFault.exe
1956	WerFault.exe
1956	WerFault.exe
2684	WerFault.exe
2684	WerFault.exe
2684	WerFault.exe
2684	WerFault.exe
2684	WerFault.exe
2684	WerFault.exe
2684	WerFault.exe
2684	WerFault.exe
2684	WerFault.exe
2684	WerFault.exe
2684	WerFault.exe
2684	WerFault.exe
2684	WerFault.exe
2684	WerFault.exe
2788	WerFault.exe
2788	WerFault.exe
2788	WerFault.exe
2788	WerFault.exe
2788	WerFault.exe
2788	WerFault.exe
2788	WerFault.exe
2788	WerFault.exe
2788	WerFault.exe
2788	WerFault.exe
2788	WerFault.exe
2788	WerFault.exe
2788	WerFault.exe
2788	WerFault.exe
936	WerFault.exe
936	WerFault.exe
936	WerFault.exe
936	WerFault.exe
936	WerFault.exe
936	WerFault.exe
936	WerFault.exe
936	WerFault.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process
Token: SeRestorePrivilege	2732	WerFault.exe
Token: SeBackupPrivilege	2732	WerFault.exe
Token: SeDebugPrivilege	2732	WerFault.exe
Token: SeDebugPrivilege	1956	WerFault.exe
Token: SeDebugPrivilege	2684	WerFault.exe
Token: SeDebugPrivilege	2788	WerFault.exe
Token: SeDebugPrivilege	936	WerFault.exe
Token: SeDebugPrivilege	3736	WerFault.exe
Token: SeDebugPrivilege	3856	WerFault.exe
Token: SeDebugPrivilege	1900	WerFault.exe
Token: SeDebugPrivilege	3996	WerFault.exe
Token: SeDebugPrivilege	3976	WerFault.exe
Token: SeDebugPrivilege	3160	WerFault.exe
Token: SeDebugPrivilege	3728	WerFault.exe
Token: SeDebugPrivilege	2676	WerFault.exe
Token: SeDebugPrivilege	2772	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\e42ddb0cabb9a77219150f59ff4aa95f.exe
"C:\Users\Admin\AppData\Local\Temp\e42ddb0cabb9a77219150f59ff4aa95f.exe"
1⤵
- Modifies system certificate store
PID:3456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 872
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 880
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 936
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 1004
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 1120
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 1132
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 1452
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 1636
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 1680
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 1740
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 1780
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 1408
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 1740
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 836
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2772

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3456-114-0x0000000002220000-0x000000000233A000-memory.dmp

Filesize
1.1MB

Download
memory/3456-115-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads