Analysis
-
max time kernel
171s -
max time network
188s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
10-02-2022 03:17
Static task
static1
Behavioral task
behavioral1
Sample
24187dd5b4f24a5e3ec8b9e69588f59f2883b839de6fd6ae282644b408a7d453.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
24187dd5b4f24a5e3ec8b9e69588f59f2883b839de6fd6ae282644b408a7d453.dll
Resource
win10v2004-en-20220113
General
-
Target
24187dd5b4f24a5e3ec8b9e69588f59f2883b839de6fd6ae282644b408a7d453.dll
-
Size
209KB
-
MD5
3f535607cca76b56fc9beb31be3088fb
-
SHA1
215c81780a68d5b7e5fb1ff000bc138b9c2f24bb
-
SHA256
24187dd5b4f24a5e3ec8b9e69588f59f2883b839de6fd6ae282644b408a7d453
-
SHA512
f60ef14a1c4356b50f8211abc4723aa49ef06033ce5f244c210b45825d7e2b902661b9746d607a3626a548db947c23bee247eda6e8db2d95ce8e6d5445b6fa3d
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 1336 created 1404 1336 WerFault.exe rundll32.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4728 1404 WerFault.exe rundll32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
WerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
WerFault.exepid process 4728 WerFault.exe 4728 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
WerFault.exesvchost.exeTiWorker.exedescription pid process Token: SeRestorePrivilege 4728 WerFault.exe Token: SeBackupPrivilege 4728 WerFault.exe Token: SeShutdownPrivilege 4988 svchost.exe Token: SeCreatePagefilePrivilege 4988 svchost.exe Token: SeShutdownPrivilege 4988 svchost.exe Token: SeCreatePagefilePrivilege 4988 svchost.exe Token: SeShutdownPrivilege 4988 svchost.exe Token: SeCreatePagefilePrivilege 4988 svchost.exe Token: SeSecurityPrivilege 4232 TiWorker.exe Token: SeRestorePrivilege 4232 TiWorker.exe Token: SeBackupPrivilege 4232 TiWorker.exe Token: SeBackupPrivilege 4232 TiWorker.exe Token: SeRestorePrivilege 4232 TiWorker.exe Token: SeSecurityPrivilege 4232 TiWorker.exe Token: SeBackupPrivilege 4232 TiWorker.exe Token: SeRestorePrivilege 4232 TiWorker.exe Token: SeSecurityPrivilege 4232 TiWorker.exe Token: SeBackupPrivilege 4232 TiWorker.exe Token: SeRestorePrivilege 4232 TiWorker.exe Token: SeSecurityPrivilege 4232 TiWorker.exe Token: SeBackupPrivilege 4232 TiWorker.exe Token: SeRestorePrivilege 4232 TiWorker.exe Token: SeSecurityPrivilege 4232 TiWorker.exe Token: SeBackupPrivilege 4232 TiWorker.exe Token: SeRestorePrivilege 4232 TiWorker.exe Token: SeSecurityPrivilege 4232 TiWorker.exe Token: SeBackupPrivilege 4232 TiWorker.exe Token: SeRestorePrivilege 4232 TiWorker.exe Token: SeSecurityPrivilege 4232 TiWorker.exe Token: SeBackupPrivilege 4232 TiWorker.exe Token: SeRestorePrivilege 4232 TiWorker.exe Token: SeSecurityPrivilege 4232 TiWorker.exe Token: SeBackupPrivilege 4232 TiWorker.exe Token: SeRestorePrivilege 4232 TiWorker.exe Token: SeSecurityPrivilege 4232 TiWorker.exe Token: SeBackupPrivilege 4232 TiWorker.exe Token: SeRestorePrivilege 4232 TiWorker.exe Token: SeSecurityPrivilege 4232 TiWorker.exe Token: SeBackupPrivilege 4232 TiWorker.exe Token: SeRestorePrivilege 4232 TiWorker.exe Token: SeSecurityPrivilege 4232 TiWorker.exe Token: SeBackupPrivilege 4232 TiWorker.exe Token: SeRestorePrivilege 4232 TiWorker.exe Token: SeSecurityPrivilege 4232 TiWorker.exe Token: SeBackupPrivilege 4232 TiWorker.exe Token: SeRestorePrivilege 4232 TiWorker.exe Token: SeSecurityPrivilege 4232 TiWorker.exe Token: SeBackupPrivilege 4232 TiWorker.exe Token: SeRestorePrivilege 4232 TiWorker.exe Token: SeSecurityPrivilege 4232 TiWorker.exe Token: SeBackupPrivilege 4232 TiWorker.exe Token: SeRestorePrivilege 4232 TiWorker.exe Token: SeSecurityPrivilege 4232 TiWorker.exe Token: SeBackupPrivilege 4232 TiWorker.exe Token: SeRestorePrivilege 4232 TiWorker.exe Token: SeSecurityPrivilege 4232 TiWorker.exe Token: SeBackupPrivilege 4232 TiWorker.exe Token: SeRestorePrivilege 4232 TiWorker.exe Token: SeSecurityPrivilege 4232 TiWorker.exe Token: SeBackupPrivilege 4232 TiWorker.exe Token: SeRestorePrivilege 4232 TiWorker.exe Token: SeSecurityPrivilege 4232 TiWorker.exe Token: SeBackupPrivilege 4232 TiWorker.exe Token: SeRestorePrivilege 4232 TiWorker.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
rundll32.exeWerFault.exedescription pid process target process PID 1436 wrote to memory of 1404 1436 rundll32.exe rundll32.exe PID 1436 wrote to memory of 1404 1436 rundll32.exe rundll32.exe PID 1436 wrote to memory of 1404 1436 rundll32.exe rundll32.exe PID 1336 wrote to memory of 1404 1336 WerFault.exe rundll32.exe PID 1336 wrote to memory of 1404 1336 WerFault.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\24187dd5b4f24a5e3ec8b9e69588f59f2883b839de6fd6ae282644b408a7d453.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\24187dd5b4f24a5e3ec8b9e69588f59f2883b839de6fd6ae282644b408a7d453.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1404 -s 6323⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1404 -ip 14041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken