Analysis
-
max time kernel
36s -
max time network
46s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
13-05-2021 13:40
Static task
static1
Behavioral task
behavioral1
Sample
4cbf447acf3d4b9e14dec09654effa49edb6ff7e1b539f5dd122dcd57584fa72.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
4cbf447acf3d4b9e14dec09654effa49edb6ff7e1b539f5dd122dcd57584fa72.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
4cbf447acf3d4b9e14dec09654effa49edb6ff7e1b539f5dd122dcd57584fa72.exe
-
Size
37KB
-
MD5
b84027fc912f24bcc662f1a7ec6dcc22
-
SHA1
12c13de5d53e28fc158245558f914aa41384708d
-
SHA256
4cbf447acf3d4b9e14dec09654effa49edb6ff7e1b539f5dd122dcd57584fa72
-
SHA512
0156a723048c314988b27d65cb5990655d261b3dc12a0e25d6b4695e18a7879fce20051ae393b85cbf5316c06502354c248291d7b8ec219b8ef9c34b8aa05abe
Score
10/10
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
4cbf447acf3d4b9e14dec09654effa49edb6ff7e1b539f5dd122dcd57584fa72.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\I-Worm.GiGu = "uGiG.eXe" 4cbf447acf3d4b9e14dec09654effa49edb6ff7e1b539f5dd122dcd57584fa72.exe -
Drops file in System32 directory 3 IoCs
Processes:
4cbf447acf3d4b9e14dec09654effa49edb6ff7e1b539f5dd122dcd57584fa72.exedescription ioc process File created C:\Windows\SysWOW64\GiGu.eXe 4cbf447acf3d4b9e14dec09654effa49edb6ff7e1b539f5dd122dcd57584fa72.exe File opened for modification C:\Windows\SysWOW64\GiGu.eXe 4cbf447acf3d4b9e14dec09654effa49edb6ff7e1b539f5dd122dcd57584fa72.exe File created C:\Windows\SysWOW64\GiGu.eml 4cbf447acf3d4b9e14dec09654effa49edb6ff7e1b539f5dd122dcd57584fa72.exe -
Drops file in Windows directory 2 IoCs
Processes:
4cbf447acf3d4b9e14dec09654effa49edb6ff7e1b539f5dd122dcd57584fa72.exedescription ioc process File created C:\Windows\uGiG.eXe 4cbf447acf3d4b9e14dec09654effa49edb6ff7e1b539f5dd122dcd57584fa72.exe File opened for modification C:\Windows\uGiG.eXe 4cbf447acf3d4b9e14dec09654effa49edb6ff7e1b539f5dd122dcd57584fa72.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3604 996 WerFault.exe 4cbf447acf3d4b9e14dec09654effa49edb6ff7e1b539f5dd122dcd57584fa72.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
4cbf447acf3d4b9e14dec09654effa49edb6ff7e1b539f5dd122dcd57584fa72.exeWerFault.exepid process 996 4cbf447acf3d4b9e14dec09654effa49edb6ff7e1b539f5dd122dcd57584fa72.exe 996 4cbf447acf3d4b9e14dec09654effa49edb6ff7e1b539f5dd122dcd57584fa72.exe 3604 WerFault.exe 3604 WerFault.exe 3604 WerFault.exe 3604 WerFault.exe 3604 WerFault.exe 3604 WerFault.exe 3604 WerFault.exe 3604 WerFault.exe 3604 WerFault.exe 3604 WerFault.exe 3604 WerFault.exe 3604 WerFault.exe 3604 WerFault.exe 3604 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3604 WerFault.exe Token: SeBackupPrivilege 3604 WerFault.exe Token: SeDebugPrivilege 3604 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4cbf447acf3d4b9e14dec09654effa49edb6ff7e1b539f5dd122dcd57584fa72.exe"C:\Users\Admin\AppData\Local\Temp\4cbf447acf3d4b9e14dec09654effa49edb6ff7e1b539f5dd122dcd57584fa72.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:996 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 996 -s 4682⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3604
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/996-114-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB