Analysis
-
max time kernel
116s -
max time network
151s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
27-09-2021 14:03
Static task
static1
Behavioral task
behavioral1
Sample
Auftragsbestätigung Dringend.exe
Resource
win7-en-20210920
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Auftragsbestätigung Dringend.exe
Resource
win10-en-20210920
windows10_x64
0 signatures
0 seconds
General
-
Target
Auftragsbestätigung Dringend.exe
-
Size
812KB
-
MD5
b8d99b6c405fc56bd8a1448421d64eac
-
SHA1
0ba8da5d51a77798010e6b1a2a8e759c8bcbe7fa
-
SHA256
e2bf9e2c787866d86fc1ae939c378f7d22fab268a00ae163fff1b79332df2088
-
SHA512
5b1408332ce31003708a5de87bb2b7e3df4731d1d978a3f9dab992a12ccea57ab04239955fd3a56af867fd160ede3d3830826231352bacd0416f887e4e3c070f
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 780 1540 WerFault.exe Auftragsbestätigung Dringend.exe -
Processes:
Auftragsbestätigung Dringend.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 Auftragsbestätigung Dringend.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde Auftragsbestätigung Dringend.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 780 WerFault.exe 780 WerFault.exe 780 WerFault.exe 780 WerFault.exe 780 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 780 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 780 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
Auftragsbestätigung Dringend.exedescription pid process target process PID 1540 wrote to memory of 780 1540 Auftragsbestätigung Dringend.exe WerFault.exe PID 1540 wrote to memory of 780 1540 Auftragsbestätigung Dringend.exe WerFault.exe PID 1540 wrote to memory of 780 1540 Auftragsbestätigung Dringend.exe WerFault.exe PID 1540 wrote to memory of 780 1540 Auftragsbestätigung Dringend.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Auftragsbestätigung Dringend.exe"C:\Users\Admin\AppData\Local\Temp\Auftragsbestätigung Dringend.exe"1⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 7602⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/780-58-0x0000000000000000-mapping.dmp
-
memory/780-59-0x0000000000310000-0x0000000000311000-memory.dmpFilesize
4KB
-
memory/1540-56-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/1540-57-0x0000000075A71000-0x0000000075A73000-memory.dmpFilesize
8KB