Analysis
-
max time kernel
144s -
max time network
119s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
02-12-2021 06:53
Static task
static1
Behavioral task
behavioral1
Sample
Scan096355.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
Scan096355.exe
Resource
win10-en-20211014
General
-
Target
Scan096355.exe
-
Size
680KB
-
MD5
2e65f749507d0fb3a8e980565a5055a1
-
SHA1
dcd01dd0b4c76b26ba5f1590016a28ed7286a7f4
-
SHA256
7550bec79c053dc848454a9b4e4ddeef38d5e1873b9df5940813af85aacfd021
-
SHA512
e8b3cb57c995561defe236feb32e9811a19123bb4e25e9a7b36c8c42b6b2c2e5cc6608633c895e3a6863adc9e59fa0f70ad4f6ce3f44e129cabc92122eacf276
Malware Config
Signatures
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Scan096355.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Scan096355.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Scan096355.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
Scan096355.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Scan096355.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 Scan096355.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 620 744 WerFault.exe Scan096355.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 620 WerFault.exe 620 WerFault.exe 620 WerFault.exe 620 WerFault.exe 620 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 620 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 620 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
Scan096355.exedescription pid process target process PID 744 wrote to memory of 620 744 Scan096355.exe WerFault.exe PID 744 wrote to memory of 620 744 Scan096355.exe WerFault.exe PID 744 wrote to memory of 620 744 Scan096355.exe WerFault.exe PID 744 wrote to memory of 620 744 Scan096355.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Scan096355.exe"C:\Users\Admin\AppData\Local\Temp\Scan096355.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 8922⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/620-60-0x0000000000000000-mapping.dmp
-
memory/620-61-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/744-55-0x0000000000910000-0x0000000000911000-memory.dmpFilesize
4KB
-
memory/744-57-0x0000000000510000-0x0000000000516000-memory.dmpFilesize
24KB
-
memory/744-58-0x00000000045B0000-0x00000000045B1000-memory.dmpFilesize
4KB
-
memory/744-59-0x00000000045F0000-0x0000000004659000-memory.dmpFilesize
420KB