Analysis
-
max time kernel
122s -
max time network
138s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
06-12-2021 14:56
Static task
static1
Behavioral task
behavioral1
Sample
u prilogu je nova narudzba za kupnju.exe
Resource
win7-en-20211014
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
u prilogu je nova narudzba za kupnju.exe
Resource
win10-en-20211104
windows10_x64
0 signatures
0 seconds
General
-
Target
u prilogu je nova narudzba za kupnju.exe
-
Size
1.0MB
-
MD5
586db006f3320cb9a41a62f7f5a0c4e1
-
SHA1
3b6f558429e9fe51b191dfbb63bdc7161d95870a
-
SHA256
af2a8024939f13bee37b6d3a35aa5df93e2a6b11cede4bea19493c4d704b050f
-
SHA512
aa79f05e68b71cb7cb5ddb9f12ceada09e7433d7733adcde6c20eb1a3695cff22161cb73e8cee0898444e9e1ec9258b2a6ae4e2e780b5ed9849d4a1596cd3d17
Score
6/10
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
u prilogu je nova narudzba za kupnju.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\Hpleoguu = "C:\\Users\\Admin\\uugoelpH.url" u prilogu je nova narudzba za kupnju.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4156 4164 WerFault.exe DpiScaling.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WerFault.exepid process 4156 WerFault.exe 4156 WerFault.exe 4156 WerFault.exe 4156 WerFault.exe 4156 WerFault.exe 4156 WerFault.exe 4156 WerFault.exe 4156 WerFault.exe 4156 WerFault.exe 4156 WerFault.exe 4156 WerFault.exe 4156 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 4156 WerFault.exe Token: SeBackupPrivilege 4156 WerFault.exe Token: SeDebugPrivilege 4156 WerFault.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
u prilogu je nova narudzba za kupnju.exedescription pid process target process PID 3588 wrote to memory of 4164 3588 u prilogu je nova narudzba za kupnju.exe DpiScaling.exe PID 3588 wrote to memory of 4164 3588 u prilogu je nova narudzba za kupnju.exe DpiScaling.exe PID 3588 wrote to memory of 4164 3588 u prilogu je nova narudzba za kupnju.exe DpiScaling.exe PID 3588 wrote to memory of 4164 3588 u prilogu je nova narudzba za kupnju.exe DpiScaling.exe PID 3588 wrote to memory of 4164 3588 u prilogu je nova narudzba za kupnju.exe DpiScaling.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\u prilogu je nova narudzba za kupnju.exe"C:\Users\Admin\AppData\Local\Temp\u prilogu je nova narudzba za kupnju.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Windows\SysWOW64\DpiScaling.exeC:\Windows\System32\DpiScaling.exe2⤵PID:4164
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4164 -s 4883⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4156
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3588-118-0x0000000002501000-0x0000000002515000-memory.dmpFilesize
80KB
-
memory/3588-119-0x00000000023A0000-0x00000000023A1000-memory.dmpFilesize
4KB
-
memory/4164-120-0x0000000000000000-mapping.dmp
-
memory/4164-121-0x0000000000AA0000-0x0000000000AA1000-memory.dmpFilesize
4KB