Analysis
-
max time kernel
21s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
18-07-2021 09:07
Static task
static1
Behavioral task
behavioral1
Sample
usfive_20210718-090922.exe
Resource
win7v20210410
General
-
Target
usfive_20210718-090922.exe
-
Size
499KB
-
MD5
982f58d704d00ef6fa9a90d3fee6b98b
-
SHA1
810959da0fdbd7667a5356282b1e9bb2bdb21d72
-
SHA256
86b3b60d044d90b22c1285027ad44cc36b3c83ab2c4174fb92ef07cbe1d76cac
-
SHA512
0d19255e57b3eb47fa42c6b1fec153f5926b0043ae8ed939ef9df1d16bc145928d0ab824091bb39b5e597c6c8efcf41a0fa4cdc9870569889e7ea680b014e065
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
description pid Process procid_target PID 3772 created 4024 3772 WerFault.exe 79 -
DarkVNC Payload 2 IoCs
resource yara_rule behavioral2/memory/4024-129-0x0000000000B40000-0x0000000000BC8000-memory.dmp darkvnc behavioral2/memory/4024-130-0x0000000000400000-0x00000000009CC000-memory.dmp darkvnc -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 4024 ioTH8HtNXY.exe -
Loads dropped DLL 6 IoCs
pid Process 3876 usfive_20210718-090922.exe 3876 usfive_20210718-090922.exe 3876 usfive_20210718-090922.exe 3876 usfive_20210718-090922.exe 3876 usfive_20210718-090922.exe 3876 usfive_20210718-090922.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4024 set thread context of 3348 4024 ioTH8HtNXY.exe 83 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 3772 4024 WerFault.exe 79 -
Delays execution with timeout.exe 1 IoCs
pid Process 3900 timeout.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 3772 WerFault.exe 3772 WerFault.exe 3772 WerFault.exe 3772 WerFault.exe 3772 WerFault.exe 3772 WerFault.exe 3772 WerFault.exe 3772 WerFault.exe 3772 WerFault.exe 3772 WerFault.exe 3772 WerFault.exe 3772 WerFault.exe 3772 WerFault.exe 3772 WerFault.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4024 ioTH8HtNXY.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 3772 WerFault.exe Token: SeBackupPrivilege 3772 WerFault.exe Token: SeDebugPrivilege 3772 WerFault.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 3876 wrote to memory of 4024 3876 usfive_20210718-090922.exe 79 PID 3876 wrote to memory of 4024 3876 usfive_20210718-090922.exe 79 PID 3876 wrote to memory of 4024 3876 usfive_20210718-090922.exe 79 PID 3876 wrote to memory of 972 3876 usfive_20210718-090922.exe 80 PID 3876 wrote to memory of 972 3876 usfive_20210718-090922.exe 80 PID 3876 wrote to memory of 972 3876 usfive_20210718-090922.exe 80 PID 972 wrote to memory of 3900 972 cmd.exe 82 PID 972 wrote to memory of 3900 972 cmd.exe 82 PID 972 wrote to memory of 3900 972 cmd.exe 82 PID 4024 wrote to memory of 3348 4024 ioTH8HtNXY.exe 83 PID 4024 wrote to memory of 3348 4024 ioTH8HtNXY.exe 83 PID 4024 wrote to memory of 3348 4024 ioTH8HtNXY.exe 83 PID 4024 wrote to memory of 3348 4024 ioTH8HtNXY.exe 83 PID 4024 wrote to memory of 3348 4024 ioTH8HtNXY.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\usfive_20210718-090922.exe"C:\Users\Admin\AppData\Local\Temp\usfive_20210718-090922.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3876 -
C:\Users\Admin\AppData\Local\Temp\ioTH8HtNXY.exe"C:\Users\Admin\AppData\Local\Temp\ioTH8HtNXY.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe3⤵PID:3348
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 4843⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3772
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\usfive_20210718-090922.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK3⤵
- Delays execution with timeout.exe
PID:3900
-
-