Analysis
-
max time kernel
357s -
max time network
1560s -
platform
windows11_x64 -
resource
win11 -
submitted
22-10-2021 14:38
Static task
static1
Behavioral task
behavioral1
Sample
Fri0541e16ce794d258f.exe
Resource
win7-ja-20211014
Behavioral task
behavioral2
Sample
Fri0541e16ce794d258f.exe
Resource
win7-en-20210920
Behavioral task
behavioral3
Sample
Fri0541e16ce794d258f.exe
Resource
win7-de-20211014
Behavioral task
behavioral4
Sample
Fri0541e16ce794d258f.exe
Resource
win11
Behavioral task
behavioral5
Sample
Fri0541e16ce794d258f.exe
Resource
win10-ja-20211014
Behavioral task
behavioral6
Sample
Fri0541e16ce794d258f.exe
Resource
win10-en-20210920
Behavioral task
behavioral7
Sample
Fri0541e16ce794d258f.exe
Resource
win10-de-20210920
General
-
Target
Fri0541e16ce794d258f.exe
-
Size
284KB
-
MD5
dec69c757ce1ae8454f97ef6966aa817
-
SHA1
160d556701a012ab18194aeecaa396e21727c9b2
-
SHA256
2b396ae1fa95ef655bb7b0eb45532a857d882bb601adeb8fb1b5d43dcff9ec31
-
SHA512
c6304aa1a5b762804c81461fb1db1bae9ba57120c279dfb1ad83c3bb2e3309563f15c90a1a04a9f3acb5aac3a527432a87d1bb7ba32846dc75bda961b162db16
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 2384 created 916 2384 WerFault.exe Fri0541e16ce794d258f.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3204 916 WerFault.exe Fri0541e16ce794d258f.exe -
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
WerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
WerFault.exepid process 3204 WerFault.exe 3204 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3204 WerFault.exe Token: SeBackupPrivilege 3204 WerFault.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WerFault.exedescription pid process target process PID 2384 wrote to memory of 916 2384 WerFault.exe Fri0541e16ce794d258f.exe PID 2384 wrote to memory of 916 2384 WerFault.exe Fri0541e16ce794d258f.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Fri0541e16ce794d258f.exe"C:\Users\Admin\AppData\Local\Temp\Fri0541e16ce794d258f.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 2562⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 916 -ip 9161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory