Overview

overview

10

Static

static

10

674ad8128d...9c.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    99s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    28-01-2022 17:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    674ad8128d17418474a2b4615da81c935d4d7f9c.exe

  • Size

    160KB

  • MD5

    9716372508103ef6a050c0de6685c3a1

  • SHA1

    674ad8128d17418474a2b4615da81c935d4d7f9c

  • SHA256

    ae9600cb391f447933e29069ca3000bb61a005d58fe14eb84fd830403221e48f

  • SHA512

    6738de8f90602772486519971669c96a180d11a523c2870b34e94d93e5c5171769c26459d93cf220b44a6924b01aff485e9e4f1dddc817cb758992575ab62aed

Score
10/10
persistence

Malware Config

Signatures

  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Sets service image path in registry 2 TTPs
    persistence
  • Program crash 2 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies data under HKEY_USERS 41 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\674ad8128d17418474a2b4615da81c935d4d7f9c.exe
    "C:\Users\Admin\AppData\Local\Temp\674ad8128d17418474a2b4615da81c935d4d7f9c.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2512
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 224
      2⤵
      • Program crash
      PID:1296
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 224
      2⤵
      • Program crash
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3076
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2512 -ip 2512
    1⤵
    • Suspicious use of NtCreateProcessExOtherParentProcess
    • Suspicious use of WriteProcessMemory
    PID:1388
  • C:\Windows\System32\WaaSMedicAgent.exe
    C:\Windows\System32\WaaSMedicAgent.exe 7f173d994e60df3799fea632dc5e14a7 P1v5+yBnH02ab07c2wS1tw.0.1.0.0.0
    1⤵
    • Modifies data under HKEY_USERS
    PID:3380

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads