Analysis
-
max time kernel
254s -
max time network
279s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
23-06-2021 13:06
Static task
static1
Behavioral task
behavioral1
Sample
416e85c0a86fbe8a3e874b3119e208e6003891a34b64dfe4d3c2cc3211fab4f5.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
416e85c0a86fbe8a3e874b3119e208e6003891a34b64dfe4d3c2cc3211fab4f5.exe
Resource
win10v20210410
General
-
Target
416e85c0a86fbe8a3e874b3119e208e6003891a34b64dfe4d3c2cc3211fab4f5.exe
-
Size
369KB
-
MD5
331b8604ba1ee60396d11c0ccd628ebb
-
SHA1
637fde23551e378a3fcbecb64c64b8e51ece23b2
-
SHA256
416e85c0a86fbe8a3e874b3119e208e6003891a34b64dfe4d3c2cc3211fab4f5
-
SHA512
c55f673ae5a2c19e75585ef124161d72ac83959e8606e397388271290058f3ea4810a7ec39a00d8053138bf26ea96402e8dbe13bca186ec71fc8257442ec82c6
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid Process procid_target PID 4212 created 4444 4212 WerFault.exe 68 -
Downloads MZ/PE file
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 9 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target Process procid_target 3152 4444 WerFault.exe 68 3156 4444 WerFault.exe 68 2252 4444 WerFault.exe 68 4056 4444 WerFault.exe 68 2112 4444 WerFault.exe 68 8 4444 WerFault.exe 68 1804 4444 WerFault.exe 68 4224 4444 WerFault.exe 68 4212 4444 WerFault.exe 68 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid Process 3152 WerFault.exe 3152 WerFault.exe 3152 WerFault.exe 3152 WerFault.exe 3152 WerFault.exe 3152 WerFault.exe 3152 WerFault.exe 3152 WerFault.exe 3152 WerFault.exe 3152 WerFault.exe 3152 WerFault.exe 3152 WerFault.exe 3152 WerFault.exe 3152 WerFault.exe 3156 WerFault.exe 3156 WerFault.exe 3156 WerFault.exe 3156 WerFault.exe 3156 WerFault.exe 3156 WerFault.exe 3156 WerFault.exe 3156 WerFault.exe 3156 WerFault.exe 3156 WerFault.exe 3156 WerFault.exe 3156 WerFault.exe 3156 WerFault.exe 3156 WerFault.exe 2252 WerFault.exe 2252 WerFault.exe 2252 WerFault.exe 2252 WerFault.exe 2252 WerFault.exe 2252 WerFault.exe 2252 WerFault.exe 2252 WerFault.exe 2252 WerFault.exe 2252 WerFault.exe 2252 WerFault.exe 2252 WerFault.exe 2252 WerFault.exe 2252 WerFault.exe 4056 WerFault.exe 4056 WerFault.exe 4056 WerFault.exe 4056 WerFault.exe 4056 WerFault.exe 4056 WerFault.exe 4056 WerFault.exe 4056 WerFault.exe 4056 WerFault.exe 4056 WerFault.exe 4056 WerFault.exe 4056 WerFault.exe 4056 WerFault.exe 4056 WerFault.exe 2112 WerFault.exe 2112 WerFault.exe 2112 WerFault.exe 2112 WerFault.exe 2112 WerFault.exe 2112 WerFault.exe 2112 WerFault.exe 2112 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription pid Process Token: SeRestorePrivilege 3152 WerFault.exe Token: SeBackupPrivilege 3152 WerFault.exe Token: SeDebugPrivilege 3152 WerFault.exe Token: SeDebugPrivilege 3156 WerFault.exe Token: SeDebugPrivilege 2252 WerFault.exe Token: SeDebugPrivilege 4056 WerFault.exe Token: SeDebugPrivilege 2112 WerFault.exe Token: SeDebugPrivilege 8 WerFault.exe Token: SeDebugPrivilege 1804 WerFault.exe Token: SeDebugPrivilege 4224 WerFault.exe Token: SeDebugPrivilege 4212 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\416e85c0a86fbe8a3e874b3119e208e6003891a34b64dfe4d3c2cc3211fab4f5.exe"C:\Users\Admin\AppData\Local\Temp\416e85c0a86fbe8a3e874b3119e208e6003891a34b64dfe4d3c2cc3211fab4f5.exe"1⤵PID:4444
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 6642⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3152
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 7722⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3156
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 7482⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2252
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 7922⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4056
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 8922⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2112
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 13122⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:8
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 13002⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1804
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 14442⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4224
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 14202⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4212
-