Analysis
-
max time kernel
115s -
max time network
145s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
26-09-2021 12:36
Static task
static1
General
-
Target
558c64e8360f1b7b57bb6e46718ee2cb0fb83f6f336031e9432e03efbb1927fe.exe
-
Size
1.5MB
-
MD5
5df91194e2d3fd9f5f84f9b03e9f5b0e
-
SHA1
7f383ef4bde2cead4593885894035e230ab4f944
-
SHA256
558c64e8360f1b7b57bb6e46718ee2cb0fb83f6f336031e9432e03efbb1927fe
-
SHA512
22a7d06d76a73f9f3926671c3377a418c8a972711e4c0d4270a789249d9f067c9df019e3a0f80be5f02602ecef290c012354421394ccb351b47160e90a9492a4
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 1544 created 1784 1544 WerFault.exe 558c64e8360f1b7b57bb6e46718ee2cb0fb83f6f336031e9432e03efbb1927fe.exe -
Vidar Stealer 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1784-117-0x0000000000400000-0x000000000057E000-memory.dmp family_vidar behavioral1/memory/1784-116-0x0000000002B10000-0x0000000002C2B000-memory.dmp family_vidar -
Downloads MZ/PE file
-
Loads dropped DLL 2 IoCs
Processes:
558c64e8360f1b7b57bb6e46718ee2cb0fb83f6f336031e9432e03efbb1927fe.exepid process 1784 558c64e8360f1b7b57bb6e46718ee2cb0fb83f6f336031e9432e03efbb1927fe.exe 1784 558c64e8360f1b7b57bb6e46718ee2cb0fb83f6f336031e9432e03efbb1927fe.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Program crash 12 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 2604 1784 WerFault.exe 558c64e8360f1b7b57bb6e46718ee2cb0fb83f6f336031e9432e03efbb1927fe.exe 3048 1784 WerFault.exe 558c64e8360f1b7b57bb6e46718ee2cb0fb83f6f336031e9432e03efbb1927fe.exe 3480 1784 WerFault.exe 558c64e8360f1b7b57bb6e46718ee2cb0fb83f6f336031e9432e03efbb1927fe.exe 3000 1784 WerFault.exe 558c64e8360f1b7b57bb6e46718ee2cb0fb83f6f336031e9432e03efbb1927fe.exe 532 1784 WerFault.exe 558c64e8360f1b7b57bb6e46718ee2cb0fb83f6f336031e9432e03efbb1927fe.exe 2108 1784 WerFault.exe 558c64e8360f1b7b57bb6e46718ee2cb0fb83f6f336031e9432e03efbb1927fe.exe 1888 1784 WerFault.exe 558c64e8360f1b7b57bb6e46718ee2cb0fb83f6f336031e9432e03efbb1927fe.exe 1336 1784 WerFault.exe 558c64e8360f1b7b57bb6e46718ee2cb0fb83f6f336031e9432e03efbb1927fe.exe 660 1784 WerFault.exe 558c64e8360f1b7b57bb6e46718ee2cb0fb83f6f336031e9432e03efbb1927fe.exe 1972 1784 WerFault.exe 558c64e8360f1b7b57bb6e46718ee2cb0fb83f6f336031e9432e03efbb1927fe.exe 3076 1784 WerFault.exe 558c64e8360f1b7b57bb6e46718ee2cb0fb83f6f336031e9432e03efbb1927fe.exe 1544 1784 WerFault.exe 558c64e8360f1b7b57bb6e46718ee2cb0fb83f6f336031e9432e03efbb1927fe.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid process 2604 WerFault.exe 2604 WerFault.exe 2604 WerFault.exe 2604 WerFault.exe 2604 WerFault.exe 2604 WerFault.exe 2604 WerFault.exe 2604 WerFault.exe 2604 WerFault.exe 2604 WerFault.exe 2604 WerFault.exe 2604 WerFault.exe 2604 WerFault.exe 2604 WerFault.exe 3048 WerFault.exe 3048 WerFault.exe 3048 WerFault.exe 3048 WerFault.exe 3048 WerFault.exe 3048 WerFault.exe 3048 WerFault.exe 3048 WerFault.exe 3048 WerFault.exe 3048 WerFault.exe 3048 WerFault.exe 3048 WerFault.exe 3048 WerFault.exe 3048 WerFault.exe 3480 WerFault.exe 3480 WerFault.exe 3480 WerFault.exe 3480 WerFault.exe 3480 WerFault.exe 3480 WerFault.exe 3480 WerFault.exe 3480 WerFault.exe 3480 WerFault.exe 3480 WerFault.exe 3480 WerFault.exe 3480 WerFault.exe 3480 WerFault.exe 3480 WerFault.exe 3000 WerFault.exe 3000 WerFault.exe 3000 WerFault.exe 3000 WerFault.exe 3000 WerFault.exe 3000 WerFault.exe 3000 WerFault.exe 3000 WerFault.exe 3000 WerFault.exe 3000 WerFault.exe 3000 WerFault.exe 3000 WerFault.exe 3000 WerFault.exe 3000 WerFault.exe 532 WerFault.exe 532 WerFault.exe 532 WerFault.exe 532 WerFault.exe 532 WerFault.exe 532 WerFault.exe 532 WerFault.exe 532 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription pid process Token: SeRestorePrivilege 2604 WerFault.exe Token: SeBackupPrivilege 2604 WerFault.exe Token: SeDebugPrivilege 2604 WerFault.exe Token: SeDebugPrivilege 3048 WerFault.exe Token: SeDebugPrivilege 3480 WerFault.exe Token: SeDebugPrivilege 3000 WerFault.exe Token: SeDebugPrivilege 532 WerFault.exe Token: SeDebugPrivilege 2108 WerFault.exe Token: SeDebugPrivilege 1888 WerFault.exe Token: SeDebugPrivilege 1336 WerFault.exe Token: SeDebugPrivilege 660 WerFault.exe Token: SeDebugPrivilege 1972 WerFault.exe Token: SeDebugPrivilege 3076 WerFault.exe Token: SeDebugPrivilege 1544 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\558c64e8360f1b7b57bb6e46718ee2cb0fb83f6f336031e9432e03efbb1927fe.exe"C:\Users\Admin\AppData\Local\Temp\558c64e8360f1b7b57bb6e46718ee2cb0fb83f6f336031e9432e03efbb1927fe.exe"1⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 9522⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 10562⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 11002⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 14922⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 17122⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 17202⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 17722⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 14122⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 16562⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 18402⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 18682⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 19482⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\ProgramData\mozglue.dllMD5
8f73c08a9660691143661bf7332c3c27
SHA137fa65dd737c50fda710fdbde89e51374d0c204a
SHA2563fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA5120042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89
-
\ProgramData\nss3.dllMD5
bfac4e3c5908856ba17d41edcd455a51
SHA18eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA5122565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66
-
memory/1784-115-0x0000000000630000-0x0000000000631000-memory.dmpFilesize
4KB
-
memory/1784-117-0x0000000000400000-0x000000000057E000-memory.dmpFilesize
1.5MB
-
memory/1784-116-0x0000000002B10000-0x0000000002C2B000-memory.dmpFilesize
1.1MB