Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
20/11/2021, 07:56
Static task
static1
General
-
Target
10077bec9ee4408196ba97fa5bd3a2ff409ef9deddb183aeca757798ff68ec64.exe
-
Size
4.5MB
-
MD5
43dbb19672949c54bea088f785c39470
-
SHA1
f625bb44935795cee20304e9f174c8121cd89c6e
-
SHA256
10077bec9ee4408196ba97fa5bd3a2ff409ef9deddb183aeca757798ff68ec64
-
SHA512
fc5fcc9c4d9a80d3d640405aeb3d66baf53853358824b32e4d99ea0562b1c5214bf28b48abe7f4a47a56d91ed7442453896b2c5cecede1a1ea37fa0e8c5f92d9
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
description pid Process procid_target PID 1020 created 4380 1020 WerFault.exe 71 -
Executes dropped EXE 2 IoCs
pid Process 3908 vinmall_dj.exe 4380 setup.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vinmall_dj.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 7 IoCs
pid pid_target Process procid_target 3952 4380 WerFault.exe 71 3308 4380 WerFault.exe 71 4180 4380 WerFault.exe 71 528 4380 WerFault.exe 71 3928 4380 WerFault.exe 71 828 4380 WerFault.exe 71 1020 4380 WerFault.exe 71 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3952 WerFault.exe 3952 WerFault.exe 3952 WerFault.exe 3952 WerFault.exe 3952 WerFault.exe 3952 WerFault.exe 3952 WerFault.exe 3952 WerFault.exe 3952 WerFault.exe 3952 WerFault.exe 3952 WerFault.exe 3952 WerFault.exe 3308 WerFault.exe 3308 WerFault.exe 3308 WerFault.exe 3308 WerFault.exe 3308 WerFault.exe 3308 WerFault.exe 3308 WerFault.exe 3308 WerFault.exe 3308 WerFault.exe 3308 WerFault.exe 3308 WerFault.exe 3308 WerFault.exe 4180 WerFault.exe 4180 WerFault.exe 4180 WerFault.exe 4180 WerFault.exe 4180 WerFault.exe 4180 WerFault.exe 4180 WerFault.exe 4180 WerFault.exe 4180 WerFault.exe 4180 WerFault.exe 4180 WerFault.exe 4180 WerFault.exe 528 WerFault.exe 528 WerFault.exe 528 WerFault.exe 528 WerFault.exe 528 WerFault.exe 528 WerFault.exe 528 WerFault.exe 528 WerFault.exe 528 WerFault.exe 528 WerFault.exe 528 WerFault.exe 528 WerFault.exe 3928 WerFault.exe 3928 WerFault.exe 3928 WerFault.exe 3928 WerFault.exe 3928 WerFault.exe 3928 WerFault.exe 3928 WerFault.exe 3928 WerFault.exe 3928 WerFault.exe 3928 WerFault.exe 3928 WerFault.exe 3928 WerFault.exe 1020 WerFault.exe 1020 WerFault.exe 1020 WerFault.exe 1020 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeManageVolumePrivilege 3908 vinmall_dj.exe Token: SeManageVolumePrivilege 3908 vinmall_dj.exe Token: SeManageVolumePrivilege 3908 vinmall_dj.exe Token: SeManageVolumePrivilege 3908 vinmall_dj.exe Token: SeManageVolumePrivilege 3908 vinmall_dj.exe Token: SeManageVolumePrivilege 3908 vinmall_dj.exe Token: SeRestorePrivilege 3952 WerFault.exe Token: SeBackupPrivilege 3952 WerFault.exe Token: SeBackupPrivilege 3952 WerFault.exe Token: SeDebugPrivilege 3952 WerFault.exe Token: SeDebugPrivilege 3308 WerFault.exe Token: SeDebugPrivilege 4180 WerFault.exe Token: SeDebugPrivilege 528 WerFault.exe Token: SeDebugPrivilege 3928 WerFault.exe Token: SeDebugPrivilege 1020 WerFault.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3572 wrote to memory of 3908 3572 10077bec9ee4408196ba97fa5bd3a2ff409ef9deddb183aeca757798ff68ec64.exe 68 PID 3572 wrote to memory of 3908 3572 10077bec9ee4408196ba97fa5bd3a2ff409ef9deddb183aeca757798ff68ec64.exe 68 PID 3572 wrote to memory of 3908 3572 10077bec9ee4408196ba97fa5bd3a2ff409ef9deddb183aeca757798ff68ec64.exe 68 PID 3572 wrote to memory of 4380 3572 10077bec9ee4408196ba97fa5bd3a2ff409ef9deddb183aeca757798ff68ec64.exe 71 PID 3572 wrote to memory of 4380 3572 10077bec9ee4408196ba97fa5bd3a2ff409ef9deddb183aeca757798ff68ec64.exe 71 PID 3572 wrote to memory of 4380 3572 10077bec9ee4408196ba97fa5bd3a2ff409ef9deddb183aeca757798ff68ec64.exe 71
Processes
-
C:\Users\Admin\AppData\Local\Temp\10077bec9ee4408196ba97fa5bd3a2ff409ef9deddb183aeca757798ff68ec64.exe"C:\Users\Admin\AppData\Local\Temp\10077bec9ee4408196ba97fa5bd3a2ff409ef9deddb183aeca757798ff68ec64.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\vinmall_dj.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\vinmall_dj.exe"2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:3908
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe"2⤵
- Executes dropped EXE
PID:4380 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 8003⤵
- Drops file in Windows directory
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3952
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 8123⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3308
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 9123⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4180
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 9483⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:528
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 12323⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3928
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 12763⤵
- Program crash
PID:828
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 12243⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1020
-
-