Analysis
-
max time kernel
113s -
max time network
122s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
24-11-2021 09:41
Static task
static1
Behavioral task
behavioral1
Sample
Comanda, factura proforma.exe
Resource
win7-en-20211104
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Comanda, factura proforma.exe
Resource
win10-en-20211014
0 signatures
0 seconds
General
-
Target
Comanda, factura proforma.exe
-
Size
714KB
-
MD5
d0374233b4f0b5872d99e4f91d7ef727
-
SHA1
36d3f48474f4ae50efe5108cdbeff33f621b33c1
-
SHA256
640632c9b58708ac0a556ebcbe773fbf391caf17ceac6e444b66679cc89bacbf
-
SHA512
009335b8f789ab5428d6797f04a1dfd33da8fcfeb87ed179de549d00a6c8e2047232240fcbd89d0ca1f20c5024c0311708d68c7732019049c16727bcaa7627fc
Score
6/10
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Comanda, factura proforma.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bkitkupu = "C:\\Users\\Admin\\Contacts\\Bkitkupu\\upuktikB.url" Comanda, factura proforma.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 592 1016 WerFault.exe logagent.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WerFault.exepid process 592 WerFault.exe 592 WerFault.exe 592 WerFault.exe 592 WerFault.exe 592 WerFault.exe 592 WerFault.exe 592 WerFault.exe 592 WerFault.exe 592 WerFault.exe 592 WerFault.exe 592 WerFault.exe 592 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 592 WerFault.exe Token: SeBackupPrivilege 592 WerFault.exe Token: SeDebugPrivilege 592 WerFault.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
Comanda, factura proforma.exedescription pid process target process PID 2516 wrote to memory of 1016 2516 Comanda, factura proforma.exe logagent.exe PID 2516 wrote to memory of 1016 2516 Comanda, factura proforma.exe logagent.exe PID 2516 wrote to memory of 1016 2516 Comanda, factura proforma.exe logagent.exe PID 2516 wrote to memory of 1016 2516 Comanda, factura proforma.exe logagent.exe PID 2516 wrote to memory of 1016 2516 Comanda, factura proforma.exe logagent.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Comanda, factura proforma.exe"C:\Users\Admin\AppData\Local\Temp\Comanda, factura proforma.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\logagent.exeC:\Windows\System32\logagent.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1016 -s 3563⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1016-117-0x0000000000000000-mapping.dmp
-
memory/1016-118-0x0000000002640000-0x0000000002641000-memory.dmpFilesize
4KB
-
memory/2516-115-0x0000000000670000-0x0000000000671000-memory.dmpFilesize
4KB
-
memory/2516-116-0x0000000002291000-0x00000000022A5000-memory.dmpFilesize
80KB