Analysis
-
max time kernel
121s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
01-02-2022 10:02
Behavioral task
behavioral1
Sample
5f49b4e7f7eb260f41776f02600f71acd1283659f3974c62af92ecdba8289d1d.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
5f49b4e7f7eb260f41776f02600f71acd1283659f3974c62af92ecdba8289d1d.dll
Resource
win10v2004-en-20220112
General
-
Target
5f49b4e7f7eb260f41776f02600f71acd1283659f3974c62af92ecdba8289d1d.dll
-
Size
134KB
-
MD5
29465a900924318d4707117e41287ff0
-
SHA1
9a577e5e5380b40f7d9b4a6fe5a0d8c9e400659e
-
SHA256
5f49b4e7f7eb260f41776f02600f71acd1283659f3974c62af92ecdba8289d1d
-
SHA512
19cef069614a1271b6ceebbbb435d6c746c2da32bd8caf014dcd8b3bab4af207640bac5ab2440f8dada28de45cd643e7c84b1e0c4e37df9ae407c3443e733426
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 1380 created 3100 1380 WerFault.exe rundll32.exe -
Sets service image path in registry 2 TTPs
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 204 3100 WerFault.exe rundll32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
WerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Modifies data under HKEY_USERS 41 IoCs
Processes:
WaaSMedicAgent.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
WerFault.exepid process 204 WerFault.exe 204 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 204 WerFault.exe Token: SeBackupPrivilege 204 WerFault.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
rundll32.exeWerFault.exedescription pid process target process PID 3096 wrote to memory of 3100 3096 rundll32.exe rundll32.exe PID 3096 wrote to memory of 3100 3096 rundll32.exe rundll32.exe PID 3096 wrote to memory of 3100 3096 rundll32.exe rundll32.exe PID 1380 wrote to memory of 3100 1380 WerFault.exe rundll32.exe PID 1380 wrote to memory of 3100 1380 WerFault.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5f49b4e7f7eb260f41776f02600f71acd1283659f3974c62af92ecdba8289d1d.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5f49b4e7f7eb260f41776f02600f71acd1283659f3974c62af92ecdba8289d1d.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3100 -s 6283⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3100 -ip 31001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe c78c8080ac31f788471a6633d7ff72b9 SQSLfwJpYki1XtwICMDPjw.0.1.0.0.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k wusvcs -p1⤵