Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
20/11/2021, 08:01
Static task
static1
General
-
Target
0143357e1751b8e60ec677b45be7eb653ca8767e88647c017d0f8bb19345e6e3.exe
-
Size
4.5MB
-
MD5
75dcbb6e3b1c1dd085afbb3546b68ca4
-
SHA1
4cb490c66468fe1b4c8d73509c53dd501a3de34d
-
SHA256
0143357e1751b8e60ec677b45be7eb653ca8767e88647c017d0f8bb19345e6e3
-
SHA512
6898ca20553d9a128d3c36248b172771d019a7206177f9742951bbc54316304be1e0862bf94a8ff3446c53d1ddb0cf827a7acf9c9585d4e4c2dc64e1e8ef8c84
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
description pid Process procid_target PID 2744 created 376 2744 WerFault.exe 71 -
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
Executes dropped EXE 2 IoCs
pid Process 3344 vinmall_da.exe 376 setup.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vinmall_da.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 7 IoCs
pid pid_target Process procid_target 1908 376 WerFault.exe 71 648 376 WerFault.exe 71 576 376 WerFault.exe 71 1608 376 WerFault.exe 71 3836 376 WerFault.exe 71 1960 376 WerFault.exe 71 2744 376 WerFault.exe 71 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1908 WerFault.exe 1908 WerFault.exe 1908 WerFault.exe 1908 WerFault.exe 1908 WerFault.exe 1908 WerFault.exe 1908 WerFault.exe 1908 WerFault.exe 1908 WerFault.exe 1908 WerFault.exe 1908 WerFault.exe 1908 WerFault.exe 648 WerFault.exe 648 WerFault.exe 648 WerFault.exe 648 WerFault.exe 648 WerFault.exe 648 WerFault.exe 648 WerFault.exe 648 WerFault.exe 648 WerFault.exe 648 WerFault.exe 648 WerFault.exe 648 WerFault.exe 576 WerFault.exe 576 WerFault.exe 576 WerFault.exe 576 WerFault.exe 576 WerFault.exe 576 WerFault.exe 576 WerFault.exe 576 WerFault.exe 576 WerFault.exe 576 WerFault.exe 576 WerFault.exe 576 WerFault.exe 1608 WerFault.exe 1608 WerFault.exe 1608 WerFault.exe 1608 WerFault.exe 1608 WerFault.exe 1608 WerFault.exe 1608 WerFault.exe 1608 WerFault.exe 1608 WerFault.exe 1608 WerFault.exe 1608 WerFault.exe 1608 WerFault.exe 3836 WerFault.exe 3836 WerFault.exe 3836 WerFault.exe 3836 WerFault.exe 3836 WerFault.exe 3836 WerFault.exe 3836 WerFault.exe 3836 WerFault.exe 3836 WerFault.exe 3836 WerFault.exe 3836 WerFault.exe 3836 WerFault.exe 1960 WerFault.exe 1960 WerFault.exe 1960 WerFault.exe 1960 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeManageVolumePrivilege 3344 vinmall_da.exe Token: SeManageVolumePrivilege 3344 vinmall_da.exe Token: SeManageVolumePrivilege 3344 vinmall_da.exe Token: SeManageVolumePrivilege 3344 vinmall_da.exe Token: SeManageVolumePrivilege 3344 vinmall_da.exe Token: SeManageVolumePrivilege 3344 vinmall_da.exe Token: SeRestorePrivilege 1908 WerFault.exe Token: SeBackupPrivilege 1908 WerFault.exe Token: SeBackupPrivilege 1908 WerFault.exe Token: SeDebugPrivilege 1908 WerFault.exe Token: SeDebugPrivilege 648 WerFault.exe Token: SeDebugPrivilege 576 WerFault.exe Token: SeDebugPrivilege 1608 WerFault.exe Token: SeDebugPrivilege 3836 WerFault.exe Token: SeDebugPrivilege 1960 WerFault.exe Token: SeDebugPrivilege 2744 WerFault.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2936 wrote to memory of 3344 2936 0143357e1751b8e60ec677b45be7eb653ca8767e88647c017d0f8bb19345e6e3.exe 68 PID 2936 wrote to memory of 3344 2936 0143357e1751b8e60ec677b45be7eb653ca8767e88647c017d0f8bb19345e6e3.exe 68 PID 2936 wrote to memory of 3344 2936 0143357e1751b8e60ec677b45be7eb653ca8767e88647c017d0f8bb19345e6e3.exe 68 PID 2936 wrote to memory of 376 2936 0143357e1751b8e60ec677b45be7eb653ca8767e88647c017d0f8bb19345e6e3.exe 71 PID 2936 wrote to memory of 376 2936 0143357e1751b8e60ec677b45be7eb653ca8767e88647c017d0f8bb19345e6e3.exe 71 PID 2936 wrote to memory of 376 2936 0143357e1751b8e60ec677b45be7eb653ca8767e88647c017d0f8bb19345e6e3.exe 71
Processes
-
C:\Users\Admin\AppData\Local\Temp\0143357e1751b8e60ec677b45be7eb653ca8767e88647c017d0f8bb19345e6e3.exe"C:\Users\Admin\AppData\Local\Temp\0143357e1751b8e60ec677b45be7eb653ca8767e88647c017d0f8bb19345e6e3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\vinmall_da.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\vinmall_da.exe"2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:3344
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe"2⤵
- Executes dropped EXE
PID:376 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 376 -s 8003⤵
- Drops file in Windows directory
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1908
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 376 -s 7803⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:648
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 376 -s 8163⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:576
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 376 -s 9483⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1608
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 376 -s 11603⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3836
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 376 -s 12563⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1960
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 376 -s 12483⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2744
-
-