Overview
overview
10Static
static
Setup (23).exe
windows11_x64
10Setup (24).exe
windows11_x64
Setup (25).exe
windows11_x64
10Setup (26).exe
windows11_x64
10Setup (27).exe
windows11_x64
10Setup (29).exe
windows11_x64
10Setup (3).exe
windows11_x64
10Setup (30).exe
windows11_x64
10Setup (31).exe
windows11_x64
10Setup (4).exe
windows11_x64
10Setup (5).exe
windows11_x64
10Setup (6).exe
windows11_x64
10Setup (7).exe
windows11_x64
10Setup (8).exe
windows11_x64
10Setup (9).exe
windows11_x64
10Setup.exe
windows11_x64
10Resubmissions
15-10-2024 15:36
241015-s1zlzasdkc 1001-07-2024 18:32
240701-w6yteawhmq 1001-07-2024 14:52
240701-r82wmaxdnd 1001-07-2024 14:52
240701-r8syqa1dpp 1011-03-2024 21:22
240311-z8dsssgg58 1001-09-2021 13:18
210901-5bmxjspa5s 1001-09-2021 13:04
210901-te4btfspqa 1001-09-2021 05:12
210901-4wnkwm1p3j 1031-08-2021 21:47
210831-41rp97dma2 1031-08-2021 19:51
210831-359awwatje 10Analysis
-
max time kernel
305s -
max time network
1603s -
platform
windows11_x64 -
resource
win11 -
submitted
22-08-2021 21:19
Static task
static1
Behavioral task
behavioral1
Sample
Setup (23).exe
Resource
win11
gluptebametasploitnetsupportredlinesmokeloadersocelarsvidarv1backdoordiscoverydropperevasioninfostealerloaderpersistenceransomwareratspywarestealerthemidatrojan
windows11_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Setup (24).exe
Resource
win11
windows11_x64
0 signatures
0 seconds
Behavioral task
behavioral3
Sample
Setup (25).exe
Resource
win11
gluptebametasploitredlinesmokeloadersocelarsvidar22.08ayrelia1_installsdibild2v1backdoordiscoverydropperevasioninfostealerloaderpersistencespywarestealerthemidatrojan
windows11_x64
0 signatures
0 seconds
Behavioral task
behavioral4
Sample
Setup (26).exe
Resource
win11
gluptebametasploitnetsupportredlinesmokeloadersocelarsvidarv1backdoordiscoverydropperevasioninfostealerloaderpersistenceransomwareratspywarestealerthemidatrojan
windows11_x64
0 signatures
0 seconds
Behavioral task
behavioral5
Sample
Setup (27).exe
Resource
win11
burangluptebametasploitnetsupportredlinesmokeloadersocelarsvidarzloader1v1backdoorbotnetdiscoverydropperevasioninfostealerloaderpersistenceransomwareratspywarestealerthemidatrojanupx
windows11_x64
0 signatures
0 seconds
Behavioral task
behavioral6
Sample
Setup (29).exe
Resource
win11
gluptebametasploitnetsupportredlinesmokeloadervidarv1backdoordiscoverydropperevasioninfostealerloaderpersistenceransomwareratspywarestealerthemidatrojanupx
windows11_x64
0 signatures
0 seconds
Behavioral task
behavioral7
Sample
Setup (3).exe
Resource
win11
burangluptebametasploitnetsupportredlinesmokeloadersocelarsvidar122.08dibild2v1backdoordiscoverydropperevasioninfostealerloaderpersistenceransomwareratspywarestealerthemidatrojan
windows11_x64
0 signatures
0 seconds
Behavioral task
behavioral8
Sample
Setup (30).exe
Resource
win11
gluptebametasploitnetsupportredlinesmokeloadersocelarsvidar122.08v1backdoordiscoverydropperevasioninfostealerloaderpersistenceratspywarestealerthemidatrojan
windows11_x64
0 signatures
0 seconds
Behavioral task
behavioral9
Sample
Setup (31).exe
Resource
win11
windows11_x64
0 signatures
0 seconds
Behavioral task
behavioral10
Sample
Setup (4).exe
Resource
win11
burannetsupportredlinesmokeloadersocelarsvidarayrelia1_installsdibild2v1backdoordiscoveryevasioninfostealerpersistenceransomwareratspywarestealerthemidatrojan
windows11_x64
0 signatures
0 seconds
Behavioral task
behavioral11
Sample
Setup (5).exe
Resource
win11
gluptebametasploitnetsupportredlinesmokeloadersocelarsvidar22.08dibild2v1backdoordiscoverydropperevasioninfostealerloaderpersistenceransomwareratspywarestealerthemidatrojan
windows11_x64
0 signatures
0 seconds
Behavioral task
behavioral12
Sample
Setup (6).exe
Resource
win11
burangluptebametasploitnetsupportredlinesmokeloadersocelarsvidarv1backdoordiscoverydropperevasioninfostealerloaderpersistenceransomwareratspywarestealerthemidatrojanupx
windows11_x64
0 signatures
0 seconds
Behavioral task
behavioral13
Sample
Setup (7).exe
Resource
win11
burangluptebametasploitnetsupportredlinesmokeloadersocelarsvidar22.08dibild2backdoordiscoverydropperevasioninfostealerloaderpersistenceransomwareratspywarestealerthemidatrojan
windows11_x64
0 signatures
0 seconds
Behavioral task
behavioral14
Sample
Setup (8).exe
Resource
win11
gluptebametasploitnetsupportredlinesmokeloadersocelarsvidar22.08dibild2v1backdoordiscoverydropperevasioninfostealerloaderpersistenceratspywarestealerthemidatrojan
windows11_x64
0 signatures
0 seconds
Behavioral task
behavioral15
Sample
Setup (9).exe
Resource
win11
burannetsupportredlinesmokeloadersocelarsvidarzloader22.08dibild2v1backdoorbotnetdiscoveryevasioninfostealerpersistenceransomwareratspywarestealerthemidatrojan
windows11_x64
0 signatures
0 seconds
Behavioral task
behavioral16
Sample
Setup.exe
Resource
win11
burangluptebametasploitnetsupportredlinesmokeloadersocelarsvidarv1backdoordiscoverydropperevasioninfostealerloaderpersistenceransomwareratspywarestealerthemidatrojan
windows11_x64
0 signatures
0 seconds
General
-
Target
Setup (31).exe
-
Size
631KB
-
MD5
cb927513ff8ebff4dd52a47f7e42f934
-
SHA1
0de47c02a8adc4940a6c18621b4e4a619641d029
-
SHA256
fd5c970806fba1500cbb6af5328329aeb43b8de3f02d90ec5d8cd1d57711622f
-
SHA512
988c8fd886a9155b7d190faf2ce6b34d910efcffcf1c6251f18a9d0c804a0ea26a89679273033ac98b200363c536426efd1ae9de445c34e660369abb06f0071c
Score
10/10
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
description pid Process procid_target PID 2344 created 4876 2344 WerFault.exe 76 -
Program crash 1 IoCs
pid pid_target Process procid_target 5036 4876 WerFault.exe 76 -
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Modifies data under HKEY_USERS 43 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs sihclient.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs sihclient.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs sihclient.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates sihclient.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5036 WerFault.exe 5036 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeRestorePrivilege 5036 WerFault.exe Token: SeBackupPrivilege 5036 WerFault.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 2344 wrote to memory of 4876 2344 WerFault.exe 76 PID 2344 wrote to memory of 4876 2344 WerFault.exe 76
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup (31).exe"C:\Users\Admin\AppData\Local\Temp\Setup (31).exe"1⤵PID:4876
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 19682⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5036
-
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv 8PFJ7Xr/RkiQhw851r/usQ.0.21⤵
- Modifies data under HKEY_USERS
PID:3892
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4876 -ip 48761⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:2344
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
PID:4956
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:4564