f403e5db7055c16c5608a7c5c5e8d72541f88a83720b84f6ee2a8ed7212f75a8

Analysis

max time kernel
138s
max time network
172s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
20-01-2022 18:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7zS850A099E/61e7501db65f3_Tue23c7b395c3.exe
Size

1.6MB
MD5

79400b1fd740d9cb7ec7c2c2e9a7d618
SHA1

8ab8d7dcd469853f61ca27b8afe2ab6e0f2a1bb3
SHA256

556d5c93b2ceb585711ccce22e39e3327f388b893d76a3a7974967fe99a6fa7f
SHA512

3ed024b02d7410d5ddc7bb772a2b3e8a5516a16d1cb5fac9f5d925da84b376b67117daf238fb53c7707e6bb86a0198534ad1e79b6ebed979b505b3faf9ae55ac

Score

10^/10

spyware stealer upx

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 760 created 2628 760 WerFault.exe 61e7501db65f3_Tue23c7b395c3.exe
Executes dropped EXE 1 IoCs

Processes:

11111.exe

pid process

2076 11111.exe

description	pid	process	target process
PID 760 created 2628	760	WerFault.exe	61e7501db65f3_Tue23c7b395c3.exe

pid	process
2076	11111.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\11111.exe	upx
C:\Users\Admin\AppData\Local\Temp\11111.exe	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

16 ip-api.com
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3752 2628 WerFault.exe 61e7501db65f3_Tue23c7b395c3.exe

flow	ioc
16	ip-api.com

pid	pid_target	process	target process
3752	2628	WerFault.exe	61e7501db65f3_Tue23c7b395c3.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

11111.exeWerFault.exe

pid process

2076 11111.exe
2076 11111.exe
2076 11111.exe
2076 11111.exe
3752 WerFault.exe
3752 WerFault.exe

pid	process
2076	11111.exe
2076	11111.exe
2076	11111.exe
2076	11111.exe
3752	WerFault.exe
3752	WerFault.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

61e7501db65f3_Tue23c7b395c3.exeWerFault.exe

description	pid	process	target process
PID 2628 wrote to memory of 2076	2628	61e7501db65f3_Tue23c7b395c3.exe	11111.exe
PID 2628 wrote to memory of 2076	2628	61e7501db65f3_Tue23c7b395c3.exe	11111.exe
PID 2628 wrote to memory of 2076	2628	61e7501db65f3_Tue23c7b395c3.exe	11111.exe
PID 760 wrote to memory of 2628	760	WerFault.exe	61e7501db65f3_Tue23c7b395c3.exe
PID 760 wrote to memory of 2628	760	WerFault.exe	61e7501db65f3_Tue23c7b395c3.exe

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501db65f3_Tue23c7b395c3.exe
"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501db65f3_Tue23c7b395c3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2628

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2076

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2628 -s 916
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:3752

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 440 -p 2628 -ip 2628
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p
1⤵
PID:1576

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\11111.exe
MD5
d0527733abcc5c58735e11d43061b431

SHA1
28de9d191826192721e325787b8a50a84328cffd

SHA256
b4ef7ee228c1500f7bb3686361b1a246954efe04cf14d218b5ee709bc0d88b45

SHA512
7704b215fade38c9a4aa2395263f3d4d9392b318b5644146464d233006a6de86f53a5f6e47cd909c0d968e3ef4db397f52e28ca4d6a1b2e88e1c40a1dbde3fb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\11111.exe
MD5
d0527733abcc5c58735e11d43061b431

SHA1
28de9d191826192721e325787b8a50a84328cffd

SHA256
b4ef7ee228c1500f7bb3686361b1a246954efe04cf14d218b5ee709bc0d88b45

SHA512
7704b215fade38c9a4aa2395263f3d4d9392b318b5644146464d233006a6de86f53a5f6e47cd909c0d968e3ef4db397f52e28ca4d6a1b2e88e1c40a1dbde3fb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
93784f6d96c9c9104e21658c932c7161

SHA1
5f7903790dde06c449025f589d5072935163bc5d

SHA256
760df0359f0847383e2910cc7081740b3ac9b392ab745d65287672a661db0d38

SHA512
46e964678beac0d9ee43a982c11a504a6b636a8cf4460d18033bf4a87b98282530da12809aa37121197488edfdb6fac0f9f86afac301eba71d5bf84570bc649b

Download Submit