Analysis
-
max time kernel
128s -
max time network
131s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
18-05-2021 03:53
Static task
static1
Behavioral task
behavioral1
Sample
6ed150ed5592870e158ded825b71762c65f8dd45917ce4ae17d11b599e1755cd.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
6ed150ed5592870e158ded825b71762c65f8dd45917ce4ae17d11b599e1755cd.exe
Resource
win10v20210410
General
-
Target
6ed150ed5592870e158ded825b71762c65f8dd45917ce4ae17d11b599e1755cd.exe
-
Size
266KB
-
MD5
8874eefa66fc80432258e5f8b51efb90
-
SHA1
c7b9cb56c4b5bd87f3f1375326e5a786e4c4fdaf
-
SHA256
6ed150ed5592870e158ded825b71762c65f8dd45917ce4ae17d11b599e1755cd
-
SHA512
e8f09c827d72c79a902af5d11c400828715a2d05a8de3e0b4b3e0357215bd781aca2c1221cb7f4115d582da593183d12ab52c8c29d7d63c9f29f55fbf9cdf4cc
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
6ed150ed5592870e158ded825b71762c65f8dd45917ce4ae17d11b599e1755cd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce 6ed150ed5592870e158ded825b71762c65f8dd45917ce4ae17d11b599e1755cd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\adhpalzotjs = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\sfknst.exe\"" 6ed150ed5592870e158ded825b71762c65f8dd45917ce4ae17d11b599e1755cd.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
6ed150ed5592870e158ded825b71762c65f8dd45917ce4ae17d11b599e1755cd.exedescription ioc process File opened (read-only) \??\U: 6ed150ed5592870e158ded825b71762c65f8dd45917ce4ae17d11b599e1755cd.exe File opened (read-only) \??\F: 6ed150ed5592870e158ded825b71762c65f8dd45917ce4ae17d11b599e1755cd.exe File opened (read-only) \??\G: 6ed150ed5592870e158ded825b71762c65f8dd45917ce4ae17d11b599e1755cd.exe File opened (read-only) \??\H: 6ed150ed5592870e158ded825b71762c65f8dd45917ce4ae17d11b599e1755cd.exe File opened (read-only) \??\O: 6ed150ed5592870e158ded825b71762c65f8dd45917ce4ae17d11b599e1755cd.exe File opened (read-only) \??\S: 6ed150ed5592870e158ded825b71762c65f8dd45917ce4ae17d11b599e1755cd.exe File opened (read-only) \??\E: 6ed150ed5592870e158ded825b71762c65f8dd45917ce4ae17d11b599e1755cd.exe File opened (read-only) \??\M: 6ed150ed5592870e158ded825b71762c65f8dd45917ce4ae17d11b599e1755cd.exe File opened (read-only) \??\P: 6ed150ed5592870e158ded825b71762c65f8dd45917ce4ae17d11b599e1755cd.exe File opened (read-only) \??\T: 6ed150ed5592870e158ded825b71762c65f8dd45917ce4ae17d11b599e1755cd.exe File opened (read-only) \??\V: 6ed150ed5592870e158ded825b71762c65f8dd45917ce4ae17d11b599e1755cd.exe File opened (read-only) \??\W: 6ed150ed5592870e158ded825b71762c65f8dd45917ce4ae17d11b599e1755cd.exe File opened (read-only) \??\X: 6ed150ed5592870e158ded825b71762c65f8dd45917ce4ae17d11b599e1755cd.exe File opened (read-only) \??\L: 6ed150ed5592870e158ded825b71762c65f8dd45917ce4ae17d11b599e1755cd.exe File opened (read-only) \??\N: 6ed150ed5592870e158ded825b71762c65f8dd45917ce4ae17d11b599e1755cd.exe File opened (read-only) \??\Q: 6ed150ed5592870e158ded825b71762c65f8dd45917ce4ae17d11b599e1755cd.exe File opened (read-only) \??\A: 6ed150ed5592870e158ded825b71762c65f8dd45917ce4ae17d11b599e1755cd.exe File opened (read-only) \??\B: 6ed150ed5592870e158ded825b71762c65f8dd45917ce4ae17d11b599e1755cd.exe File opened (read-only) \??\I: 6ed150ed5592870e158ded825b71762c65f8dd45917ce4ae17d11b599e1755cd.exe File opened (read-only) \??\J: 6ed150ed5592870e158ded825b71762c65f8dd45917ce4ae17d11b599e1755cd.exe File opened (read-only) \??\K: 6ed150ed5592870e158ded825b71762c65f8dd45917ce4ae17d11b599e1755cd.exe File opened (read-only) \??\R: 6ed150ed5592870e158ded825b71762c65f8dd45917ce4ae17d11b599e1755cd.exe File opened (read-only) \??\Y: 6ed150ed5592870e158ded825b71762c65f8dd45917ce4ae17d11b599e1755cd.exe File opened (read-only) \??\Z: 6ed150ed5592870e158ded825b71762c65f8dd45917ce4ae17d11b599e1755cd.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 196 3936 WerFault.exe 6ed150ed5592870e158ded825b71762c65f8dd45917ce4ae17d11b599e1755cd.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
6ed150ed5592870e158ded825b71762c65f8dd45917ce4ae17d11b599e1755cd.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 6ed150ed5592870e158ded825b71762c65f8dd45917ce4ae17d11b599e1755cd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 6ed150ed5592870e158ded825b71762c65f8dd45917ce4ae17d11b599e1755cd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 6ed150ed5592870e158ded825b71762c65f8dd45917ce4ae17d11b599e1755cd.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
6ed150ed5592870e158ded825b71762c65f8dd45917ce4ae17d11b599e1755cd.exeWerFault.exepid process 3936 6ed150ed5592870e158ded825b71762c65f8dd45917ce4ae17d11b599e1755cd.exe 3936 6ed150ed5592870e158ded825b71762c65f8dd45917ce4ae17d11b599e1755cd.exe 3936 6ed150ed5592870e158ded825b71762c65f8dd45917ce4ae17d11b599e1755cd.exe 3936 6ed150ed5592870e158ded825b71762c65f8dd45917ce4ae17d11b599e1755cd.exe 196 WerFault.exe 196 WerFault.exe 196 WerFault.exe 196 WerFault.exe 196 WerFault.exe 196 WerFault.exe 196 WerFault.exe 196 WerFault.exe 196 WerFault.exe 196 WerFault.exe 196 WerFault.exe 196 WerFault.exe 196 WerFault.exe 196 WerFault.exe 196 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 196 WerFault.exe Token: SeBackupPrivilege 196 WerFault.exe Token: SeDebugPrivilege 196 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ed150ed5592870e158ded825b71762c65f8dd45917ce4ae17d11b599e1755cd.exe"C:\Users\Admin\AppData\Local\Temp\6ed150ed5592870e158ded825b71762c65f8dd45917ce4ae17d11b599e1755cd.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 12482⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken