Analysis
-
max time kernel
133s -
max time network
158s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
11-10-2021 08:19
Static task
static1
Behavioral task
behavioral1
Sample
307b16c4e0037078f39c029ad69c1ae7.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
307b16c4e0037078f39c029ad69c1ae7.exe
Resource
win10-en-20210920
windows10_x64
0 signatures
0 seconds
General
-
Target
307b16c4e0037078f39c029ad69c1ae7.exe
-
Size
13KB
-
MD5
307b16c4e0037078f39c029ad69c1ae7
-
SHA1
465ff7790e3cffd577e6439ffc15d693baeecffd
-
SHA256
bd5c24761ed0f7e6b1741abc9812e18794dd98524a7f4d3a8998d9a71af071ad
-
SHA512
dd1279e86dbd74cff90381afb64f7a37e25add72dc6c059df11fb63cba104124c1c2397778f6d240a8973cac4da24be9e930e978af6939fb8ef8c365d8e464dc
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1580 1652 WerFault.exe 307b16c4e0037078f39c029ad69c1ae7.exe -
Processes:
307b16c4e0037078f39c029ad69c1ae7.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 307b16c4e0037078f39c029ad69c1ae7.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 307b16c4e0037078f39c029ad69c1ae7.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 1580 WerFault.exe 1580 WerFault.exe 1580 WerFault.exe 1580 WerFault.exe 1580 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1580 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
307b16c4e0037078f39c029ad69c1ae7.exeWerFault.exedescription pid process Token: SeDebugPrivilege 1652 307b16c4e0037078f39c029ad69c1ae7.exe Token: SeDebugPrivilege 1580 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
307b16c4e0037078f39c029ad69c1ae7.exedescription pid process target process PID 1652 wrote to memory of 1580 1652 307b16c4e0037078f39c029ad69c1ae7.exe WerFault.exe PID 1652 wrote to memory of 1580 1652 307b16c4e0037078f39c029ad69c1ae7.exe WerFault.exe PID 1652 wrote to memory of 1580 1652 307b16c4e0037078f39c029ad69c1ae7.exe WerFault.exe PID 1652 wrote to memory of 1580 1652 307b16c4e0037078f39c029ad69c1ae7.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\307b16c4e0037078f39c029ad69c1ae7.exe"C:\Users\Admin\AppData\Local\Temp\307b16c4e0037078f39c029ad69c1ae7.exe"1⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 16082⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1580-64-0x0000000000000000-mapping.dmp
-
memory/1580-65-0x0000000000630000-0x0000000000631000-memory.dmpFilesize
4KB
-
memory/1652-0-0x0000000000B00000-0x0000000000B01000-memory.dmpFilesize
4KB
-
memory/1652-62-0x0000000076641000-0x0000000076643000-memory.dmpFilesize
8KB
-
memory/1652-63-0x0000000000790000-0x0000000000791000-memory.dmpFilesize
4KB