Analysis
-
max time kernel
136s -
max time network
82s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
13-10-2021 17:53
Static task
static1
Behavioral task
behavioral1
Sample
04162b1bcb2ebb326fc52801821e42b0.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
04162b1bcb2ebb326fc52801821e42b0.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
04162b1bcb2ebb326fc52801821e42b0.exe
-
Size
12KB
-
MD5
04162b1bcb2ebb326fc52801821e42b0
-
SHA1
2443aac454b8299bdfea13017cc2339d605dacea
-
SHA256
259dbea8ad36ca1f502f7eba9257bf7111313f4ef76c34922cd34dd5808b5181
-
SHA512
701f55f4da2fddcf42ee9c0be5539a4f4e617b8a837ed88647295b1f98cf407ae52df19557c8202c303714301c6cccefd0acad49da4c138aa2d140c1d41e6973
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1620 628 WerFault.exe 04162b1bcb2ebb326fc52801821e42b0.exe -
Processes:
04162b1bcb2ebb326fc52801821e42b0.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 04162b1bcb2ebb326fc52801821e42b0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 04162b1bcb2ebb326fc52801821e42b0.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 1620 WerFault.exe 1620 WerFault.exe 1620 WerFault.exe 1620 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1620 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
04162b1bcb2ebb326fc52801821e42b0.exeWerFault.exedescription pid process Token: SeDebugPrivilege 628 04162b1bcb2ebb326fc52801821e42b0.exe Token: SeDebugPrivilege 1620 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
04162b1bcb2ebb326fc52801821e42b0.exedescription pid process target process PID 628 wrote to memory of 1620 628 04162b1bcb2ebb326fc52801821e42b0.exe WerFault.exe PID 628 wrote to memory of 1620 628 04162b1bcb2ebb326fc52801821e42b0.exe WerFault.exe PID 628 wrote to memory of 1620 628 04162b1bcb2ebb326fc52801821e42b0.exe WerFault.exe PID 628 wrote to memory of 1620 628 04162b1bcb2ebb326fc52801821e42b0.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\04162b1bcb2ebb326fc52801821e42b0.exe"C:\Users\Admin\AppData\Local\Temp\04162b1bcb2ebb326fc52801821e42b0.exe"1⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 15962⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/628-60-0x0000000001060000-0x0000000001061000-memory.dmpFilesize
4KB
-
memory/628-62-0x00000000757C1000-0x00000000757C3000-memory.dmpFilesize
8KB
-
memory/628-63-0x00000000044E0000-0x00000000044E1000-memory.dmpFilesize
4KB
-
memory/1620-64-0x0000000000000000-mapping.dmp
-
memory/1620-65-0x0000000000360000-0x0000000000361000-memory.dmpFilesize
4KB