af2a8024939f13bee37b6d3a35aa5df93e2a6b11cede4bea19493c4d704b050f

Analysis

max time kernel
122s
max time network
138s
platform
windows10_x64
resource
win10-en-20211104
submitted
06-12-2021 14:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

u prilogu je nova narudzba za kupnju.exe
Size

1.0MB
MD5

586db006f3320cb9a41a62f7f5a0c4e1
SHA1

3b6f558429e9fe51b191dfbb63bdc7161d95870a
SHA256

af2a8024939f13bee37b6d3a35aa5df93e2a6b11cede4bea19493c4d704b050f
SHA512

aa79f05e68b71cb7cb5ddb9f12ceada09e7433d7733adcde6c20eb1a3695cff22161cb73e8cee0898444e9e1ec9258b2a6ae4e2e780b5ed9849d4a1596cd3d17

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

u prilogu je nova narudzba za kupnju.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\Hpleoguu = "C:\\Users\\Admin\\uugoelpH.url"	u prilogu je nova narudzba za kupnju.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4156 4164 WerFault.exe DpiScaling.exe

pid	pid_target	process	target process
4156	4164	WerFault.exe	DpiScaling.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

WerFault.exe

pid	process
4156	WerFault.exe
4156	WerFault.exe
4156	WerFault.exe
4156	WerFault.exe
4156	WerFault.exe
4156	WerFault.exe
4156	WerFault.exe
4156	WerFault.exe
4156	WerFault.exe
4156	WerFault.exe
4156	WerFault.exe
4156	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 4156 WerFault.exe
Token: SeBackupPrivilege 4156 WerFault.exe
Token: SeDebugPrivilege 4156 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	4156	WerFault.exe
Token: SeBackupPrivilege	4156	WerFault.exe
Token: SeDebugPrivilege	4156	WerFault.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

u prilogu je nova narudzba za kupnju.exe

description	pid	process	target process
PID 3588 wrote to memory of 4164	3588	u prilogu je nova narudzba za kupnju.exe	DpiScaling.exe
PID 3588 wrote to memory of 4164	3588	u prilogu je nova narudzba za kupnju.exe	DpiScaling.exe
PID 3588 wrote to memory of 4164	3588	u prilogu je nova narudzba za kupnju.exe	DpiScaling.exe
PID 3588 wrote to memory of 4164	3588	u prilogu je nova narudzba za kupnju.exe	DpiScaling.exe
PID 3588 wrote to memory of 4164	3588	u prilogu je nova narudzba za kupnju.exe	DpiScaling.exe

C:\Users\Admin\AppData\Local\Temp\u prilogu je nova narudzba za kupnju.exe
"C:\Users\Admin\AppData\Local\Temp\u prilogu je nova narudzba za kupnju.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3588

C:\Windows\SysWOW64\DpiScaling.exe
C:\Windows\System32\DpiScaling.exe
2⤵
PID:4164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4164 -s 488
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4156

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3588-118-0x0000000002501000-0x0000000002515000-memory.dmp

Filesize
80KB

Download
memory/3588-119-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/4164-120-0x0000000000000000-mapping.dmp

Download
memory/4164-121-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

Filesize
4KB

Download