f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5

General

Target

f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
Size

874KB
MD5

bb159b6fe30e3c914feac5d4e1b85a61
SHA1

a3b639e1cf9d0ed3a73d2061dc40049508ea4e37
SHA256

f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5
SHA512

85612cedcbaaad6c99be87a47d0fac373bacd35c36cbc23f3b64016ec507951bbe647d1108396495714cecaf6c12b75182853be08b9eaa47d79f0d3d500e2510

Score

8^/10

discovery persistence ransomware spyware stealer upx

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1848-64-0x0000000000400000-0x00000000005D4000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 12 IoCs

Processes:

f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe

description	ioc	process
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

14 whoer.net

flow	ioc
14	whoer.net

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\5288DB8E5288DB8E.bmp"	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe

description	pid	process	target process
PID 1816 set thread context of 1848	1816	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe

Drops file in Program Files directory 64 IoCs

Processes:

f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\delete_up.png	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Program Files\Internet Explorer\Timeline.cpu.xml	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\blackbars60.png	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_foggy.png	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\next_hov.png	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\ParentMenuButtonIcon.png	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\720x480blacksquare.png	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground_PAL.wmv	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-views.xml	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-multiview.xml	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\default_thumb.jpg	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\drag.png	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-background.png	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Connectivity.gif	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_divider_left.png	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\css\settings.css	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_ButtonGraphic.png	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_blue_sun.png	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_divider_right.png	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME-JAVAFX.txt	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page.wmv	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_SelectionSubpicture.png	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\clock.js	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\manifest.json	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\license.html	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_mainImage-mask.png	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square_h.png	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Program Files\Java\jre7\lib\images\cursors\win32_CopyDrop32x32.gif	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\hint_down.png	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-windows.xml	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-options-api.xml	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_win7.css	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME.txt	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_travel_Thumbnail.bmp	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Program Files\EnterTest.potm	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_pressed.png	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\logo.png	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\TitleButtonIcon.png	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\adcvbs.inc	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\13.png	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\RSSFeeds.css	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\activity16v.png	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\bookicon.gif	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\epl-v10.html	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\external_extensions.json	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\8.png	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\next_down.png	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\css\cpu.css	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\1047x576black.png	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\travel.png	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport_mask_left.png	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationUp_SelectionSubpicture.png	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_partly-cloudy.png	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\5.png	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1852 1288 WerFault.exe

pid	pid_target	process	target process
1852	1288	WerFault.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exef5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exeWerFault.exe

pid	process
1816	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
1848	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
1848	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
1852	WerFault.exe
1852	WerFault.exe
1852	WerFault.exe
1852	WerFault.exe
1852	WerFault.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1852 WerFault.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe

pid process

1816 f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe

description	pid	process
Token: SeDebugPrivilege	1852	WerFault.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe

description	pid	process	target process
PID 1816 wrote to memory of 1848	1816	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
PID 1816 wrote to memory of 1848	1816	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
PID 1816 wrote to memory of 1848	1816	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
PID 1816 wrote to memory of 1848	1816	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
PID 1816 wrote to memory of 1848	1816	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
PID 1816 wrote to memory of 1848	1816	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
PID 1816 wrote to memory of 1848	1816	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
PID 1816 wrote to memory of 1848	1816	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
PID 1816 wrote to memory of 1848	1816	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe	f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe

C:\Users\Admin\AppData\Local\Temp\f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
"C:\Users\Admin\AppData\Local\Temp\f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1816

C:\Users\Admin\AppData\Local\Temp\f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
C:\Users\Admin\AppData\Local\Temp\f5eb1e8b5561dc0f861d1edbf43bbc3eeda62ff8ce1cb9b286386248b158dfc5.sample.exe
2⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1848

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1288 -s 1228
1⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1852

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1816-63-0x00000000001F0000-0x00000000001F4000-memory.dmp

Filesize
16KB

Download
memory/1816-59-0x0000000075EF1000-0x0000000075EF3000-memory.dmp

Filesize
8KB

Download
memory/1848-70-0x00000000728A0000-0x00000000728B0000-memory.dmp

Filesize
64KB

Download
memory/1848-64-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1848-65-0x0000000074450000-0x000000007448C000-memory.dmp

Filesize
240KB

Download
memory/1848-66-0x00000000744E0000-0x00000000744F2000-memory.dmp

Filesize
72KB

Download
memory/1848-69-0x0000000076C40000-0x0000000076D70000-memory.dmp

Filesize
1.2MB

Download
memory/1848-61-0x00000000005D1F30-mapping.dmp

Download
memory/1848-71-0x00000000728C0000-0x00000000728D0000-memory.dmp

Filesize
64KB

Download
memory/1848-72-0x0000000074A60000-0x0000000074A72000-memory.dmp

Filesize
72KB

Download
memory/1848-74-0x0000000075970000-0x00000000759A8000-memory.dmp

Filesize
224KB

Download
memory/1848-75-0x0000000074AD0000-0x0000000074ADB000-memory.dmp

Filesize
44KB

Download
memory/1852-67-0x000007FEFC181000-0x000007FEFC183000-memory.dmp

Filesize
8KB

Download
memory/1852-68-0x0000000001BD0000-0x0000000001BD1000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads