e2bf9e2c787866d86fc1ae939c378f7d22fab268a00ae163fff1b79332df2088

General

Target

Auftragsbestätigung Dringend.exe
Size

812KB
MD5

b8d99b6c405fc56bd8a1448421d64eac
SHA1

0ba8da5d51a77798010e6b1a2a8e759c8bcbe7fa
SHA256

e2bf9e2c787866d86fc1ae939c378f7d22fab268a00ae163fff1b79332df2088
SHA512

5b1408332ce31003708a5de87bb2b7e3df4731d1d978a3f9dab992a12ccea57ab04239955fd3a56af867fd160ede3d3830826231352bacd0416f887e4e3c070f

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

780 1540 WerFault.exe Auftragsbestätigung Dringend.exe

pid	pid_target	process	target process
780	1540	WerFault.exe	Auftragsbestätigung Dringend.exe

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Auftragsbestätigung Dringend.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	Auftragsbestätigung Dringend.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	Auftragsbestätigung Dringend.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

780 WerFault.exe
780 WerFault.exe
780 WerFault.exe
780 WerFault.exe
780 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

780 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 780 WerFault.exe

pid	process
780	WerFault.exe
780	WerFault.exe
780	WerFault.exe
780	WerFault.exe
780	WerFault.exe

pid	process
780	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	780	WerFault.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

Auftragsbestätigung Dringend.exe

description	pid	process	target process
PID 1540 wrote to memory of 780	1540	Auftragsbestätigung Dringend.exe	WerFault.exe
PID 1540 wrote to memory of 780	1540	Auftragsbestätigung Dringend.exe	WerFault.exe
PID 1540 wrote to memory of 780	1540	Auftragsbestätigung Dringend.exe	WerFault.exe
PID 1540 wrote to memory of 780	1540	Auftragsbestätigung Dringend.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Auftragsbestätigung Dringend.exe
"C:\Users\Admin\AppData\Local\Temp\Auftragsbestätigung Dringend.exe"
1⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 760
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:780

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/780-58-0x0000000000000000-mapping.dmp

Download
memory/780-59-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/1540-56-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1540-57-0x0000000075A71000-0x0000000075A73000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing