12044edcb89b6026021208f988f3ae17848d6bc11c4dcf7b5b9604ba93ca894a

Analysis

max time kernel
153s
max time network
171s
platform
windows10_x64
resource
win10-en-20210920
submitted
16-10-2021 06:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

keygen-step-4/low.exe
Size

336KB
MD5

95474ed3f97fb7167dff3990ff0155ec
SHA1

b55c38792f78c5f76f2f2ee656f24f59390fb0f6
SHA256

5e6b720e26146efd236e9c18c834f28723b9f182d9ce85d1c833ac3f8311eed0
SHA512

8bf50f00aa7d0f5c4e5f4c6eeb93131768bb2e974e5edd73453db6d64bcbf90f088f324102df6b17311dff268f79a4ef6357da609ada7440229563f09aefd956

Score

10^/10

suricata

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 4064 created 3936 4064 WerFault.exe low.exe
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 4064 created 3936	4064	WerFault.exe	low.exe

Program crash 6 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2020	3936	WerFault.exe	low.exe
640	3936	WerFault.exe	low.exe
1496	3936	WerFault.exe	low.exe
3908	3936	WerFault.exe	low.exe
3680	3936	WerFault.exe	low.exe
4064	3936	WerFault.exe	low.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	process
2020	WerFault.exe
2020	WerFault.exe
2020	WerFault.exe
2020	WerFault.exe
2020	WerFault.exe
2020	WerFault.exe
2020	WerFault.exe
2020	WerFault.exe
2020	WerFault.exe
2020	WerFault.exe
2020	WerFault.exe
2020	WerFault.exe
640	WerFault.exe
640	WerFault.exe
640	WerFault.exe
640	WerFault.exe
640	WerFault.exe
640	WerFault.exe
640	WerFault.exe
640	WerFault.exe
640	WerFault.exe
640	WerFault.exe
640	WerFault.exe
640	WerFault.exe
1496	WerFault.exe
1496	WerFault.exe
1496	WerFault.exe
1496	WerFault.exe
1496	WerFault.exe
1496	WerFault.exe
1496	WerFault.exe
1496	WerFault.exe
1496	WerFault.exe
1496	WerFault.exe
1496	WerFault.exe
1496	WerFault.exe
3908	WerFault.exe
3908	WerFault.exe
3908	WerFault.exe
3908	WerFault.exe
3908	WerFault.exe
3908	WerFault.exe
3908	WerFault.exe
3908	WerFault.exe
3908	WerFault.exe
3908	WerFault.exe
3908	WerFault.exe
3908	WerFault.exe
3680	WerFault.exe
3680	WerFault.exe
3680	WerFault.exe
3680	WerFault.exe
3680	WerFault.exe
3680	WerFault.exe
3680	WerFault.exe
3680	WerFault.exe
3680	WerFault.exe
3680	WerFault.exe
3680	WerFault.exe
3680	WerFault.exe
4064	WerFault.exe
4064	WerFault.exe
4064	WerFault.exe
4064	WerFault.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process
Token: SeRestorePrivilege	2020	WerFault.exe
Token: SeBackupPrivilege	2020	WerFault.exe
Token: SeDebugPrivilege	2020	WerFault.exe
Token: SeDebugPrivilege	640	WerFault.exe
Token: SeDebugPrivilege	1496	WerFault.exe
Token: SeDebugPrivilege	3908	WerFault.exe
Token: SeDebugPrivilege	3680	WerFault.exe
Token: SeDebugPrivilege	4064	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\keygen-step-4\low.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-4\low.exe"
1⤵
PID:3936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 660
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 772
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 824
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 784
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 764
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 1064
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4064

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3936-116-0x00000000032E0000-0x000000000330F000-memory.dmp

Filesize
188KB

Download
memory/3936-117-0x0000000000400000-0x00000000016C7000-memory.dmp

Filesize
18.8MB

Download