2b396ae1fa95ef655bb7b0eb45532a857d882bb601adeb8fb1b5d43dcff9ec31

General

Target

Fri0541e16ce794d258f.exe
Size

284KB
MD5

dec69c757ce1ae8454f97ef6966aa817
SHA1

160d556701a012ab18194aeecaa396e21727c9b2
SHA256

2b396ae1fa95ef655bb7b0eb45532a857d882bb601adeb8fb1b5d43dcff9ec31
SHA512

c6304aa1a5b762804c81461fb1db1bae9ba57120c279dfb1ad83c3bb2e3309563f15c90a1a04a9f3acb5aac3a527432a87d1bb7ba32846dc75bda961b162db16

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 2384 created 916 2384 WerFault.exe Fri0541e16ce794d258f.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3204 916 WerFault.exe Fri0541e16ce794d258f.exe

description	pid	process	target process
PID 2384 created 916	2384	WerFault.exe	Fri0541e16ce794d258f.exe

pid	pid_target	process	target process
3204	916	WerFault.exe	Fri0541e16ce794d258f.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

WerFault.exe

pid process

3204 WerFault.exe
3204 WerFault.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3204 WerFault.exe
Token: SeBackupPrivilege 3204 WerFault.exe

pid	process
3204	WerFault.exe
3204	WerFault.exe

description	pid	process
Token: SeRestorePrivilege	3204	WerFault.exe
Token: SeBackupPrivilege	3204	WerFault.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WerFault.exe

description	pid	process	target process
PID 2384 wrote to memory of 916	2384	WerFault.exe	Fri0541e16ce794d258f.exe
PID 2384 wrote to memory of 916	2384	WerFault.exe	Fri0541e16ce794d258f.exe

C:\Users\Admin\AppData\Local\Temp\Fri0541e16ce794d258f.exe
"C:\Users\Admin\AppData\Local\Temp\Fri0541e16ce794d258f.exe"
1⤵
PID:916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 256
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 916 -ip 916
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:2384

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/916-146-0x0000000000BD9000-0x0000000000BEA000-memory.dmp

Filesize
68KB

Download
memory/916-147-0x0000000000A40000-0x0000000000A49000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads