Analysis
-
max time kernel
146s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
11-02-2022 18:01
Static task
static1
Behavioral task
behavioral1
Sample
8ac1ff8f3045a819c8bc2b7e6f11eef96117f8e11b81f97a1c5ac72cc807458d.exe
Resource
win7-en-20211208
General
-
Target
8ac1ff8f3045a819c8bc2b7e6f11eef96117f8e11b81f97a1c5ac72cc807458d.exe
-
Size
375KB
-
MD5
32816da2c4b57793f943d58058d9abec
-
SHA1
2b7ec6b605cabf7c1156abb99640d30c6567203d
-
SHA256
8ac1ff8f3045a819c8bc2b7e6f11eef96117f8e11b81f97a1c5ac72cc807458d
-
SHA512
634bf6e5350d5b041b093fb49c330533c0ebb42105bc386b941ab7e3c619122418b905410a660517a99e12574c78f8ddf4b5bf1f21b73233678cda0842ff94bf
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 3392 created 4820 3392 WerFault.exe 8ac1ff8f3045a819c8bc2b7e6f11eef96117f8e11b81f97a1c5ac72cc807458d.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Windows directory 9 IoCs
Processes:
svchost.exeTiWorker.exeWerFault.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3536 4820 WerFault.exe 8ac1ff8f3045a819c8bc2b7e6f11eef96117f8e11b81f97a1c5ac72cc807458d.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
WerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
WerFault.exepid process 3536 WerFault.exe 3536 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
8ac1ff8f3045a819c8bc2b7e6f11eef96117f8e11b81f97a1c5ac72cc807458d.exesvchost.exeTiWorker.exeWerFault.exedescription pid process Token: SeDebugPrivilege 4820 8ac1ff8f3045a819c8bc2b7e6f11eef96117f8e11b81f97a1c5ac72cc807458d.exe Token: SeShutdownPrivilege 4988 svchost.exe Token: SeCreatePagefilePrivilege 4988 svchost.exe Token: SeShutdownPrivilege 4988 svchost.exe Token: SeCreatePagefilePrivilege 4988 svchost.exe Token: SeShutdownPrivilege 4988 svchost.exe Token: SeCreatePagefilePrivilege 4988 svchost.exe Token: SeSecurityPrivilege 2092 TiWorker.exe Token: SeRestorePrivilege 2092 TiWorker.exe Token: SeBackupPrivilege 2092 TiWorker.exe Token: SeRestorePrivilege 3536 WerFault.exe Token: SeBackupPrivilege 3536 WerFault.exe Token: SeBackupPrivilege 3536 WerFault.exe Token: SeBackupPrivilege 2092 TiWorker.exe Token: SeRestorePrivilege 2092 TiWorker.exe Token: SeSecurityPrivilege 2092 TiWorker.exe Token: SeBackupPrivilege 2092 TiWorker.exe Token: SeRestorePrivilege 2092 TiWorker.exe Token: SeSecurityPrivilege 2092 TiWorker.exe Token: SeBackupPrivilege 2092 TiWorker.exe Token: SeRestorePrivilege 2092 TiWorker.exe Token: SeSecurityPrivilege 2092 TiWorker.exe Token: SeBackupPrivilege 2092 TiWorker.exe Token: SeRestorePrivilege 2092 TiWorker.exe Token: SeSecurityPrivilege 2092 TiWorker.exe Token: SeBackupPrivilege 2092 TiWorker.exe Token: SeRestorePrivilege 2092 TiWorker.exe Token: SeSecurityPrivilege 2092 TiWorker.exe Token: SeBackupPrivilege 2092 TiWorker.exe Token: SeRestorePrivilege 2092 TiWorker.exe Token: SeSecurityPrivilege 2092 TiWorker.exe Token: SeBackupPrivilege 2092 TiWorker.exe Token: SeRestorePrivilege 2092 TiWorker.exe Token: SeSecurityPrivilege 2092 TiWorker.exe Token: SeBackupPrivilege 2092 TiWorker.exe Token: SeRestorePrivilege 2092 TiWorker.exe Token: SeSecurityPrivilege 2092 TiWorker.exe Token: SeBackupPrivilege 2092 TiWorker.exe Token: SeRestorePrivilege 2092 TiWorker.exe Token: SeSecurityPrivilege 2092 TiWorker.exe Token: SeBackupPrivilege 2092 TiWorker.exe Token: SeRestorePrivilege 2092 TiWorker.exe Token: SeSecurityPrivilege 2092 TiWorker.exe Token: SeBackupPrivilege 2092 TiWorker.exe Token: SeRestorePrivilege 2092 TiWorker.exe Token: SeSecurityPrivilege 2092 TiWorker.exe Token: SeBackupPrivilege 2092 TiWorker.exe Token: SeRestorePrivilege 2092 TiWorker.exe Token: SeSecurityPrivilege 2092 TiWorker.exe Token: SeBackupPrivilege 2092 TiWorker.exe Token: SeRestorePrivilege 2092 TiWorker.exe Token: SeSecurityPrivilege 2092 TiWorker.exe Token: SeBackupPrivilege 2092 TiWorker.exe Token: SeRestorePrivilege 2092 TiWorker.exe Token: SeSecurityPrivilege 2092 TiWorker.exe Token: SeBackupPrivilege 2092 TiWorker.exe Token: SeRestorePrivilege 2092 TiWorker.exe Token: SeSecurityPrivilege 2092 TiWorker.exe Token: SeBackupPrivilege 2092 TiWorker.exe Token: SeRestorePrivilege 2092 TiWorker.exe Token: SeSecurityPrivilege 2092 TiWorker.exe Token: SeBackupPrivilege 2092 TiWorker.exe Token: SeRestorePrivilege 2092 TiWorker.exe Token: SeSecurityPrivilege 2092 TiWorker.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WerFault.exedescription pid process target process PID 3392 wrote to memory of 4820 3392 WerFault.exe 8ac1ff8f3045a819c8bc2b7e6f11eef96117f8e11b81f97a1c5ac72cc807458d.exe PID 3392 wrote to memory of 4820 3392 WerFault.exe 8ac1ff8f3045a819c8bc2b7e6f11eef96117f8e11b81f97a1c5ac72cc807458d.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ac1ff8f3045a819c8bc2b7e6f11eef96117f8e11b81f97a1c5ac72cc807458d.exe"C:\Users\Admin\AppData\Local\Temp\8ac1ff8f3045a819c8bc2b7e6f11eef96117f8e11b81f97a1c5ac72cc807458d.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 12442⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4820 -ip 48201⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4820-145-0x0000000007514000-0x0000000007516000-memory.dmpFilesize
8KB
-
memory/4820-132-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/4820-140-0x0000000007AD0000-0x00000000080E8000-memory.dmpFilesize
6.1MB
-
memory/4820-133-0x0000000074CEE000-0x0000000074CEF000-memory.dmpFilesize
4KB
-
memory/4820-134-0x0000000007510000-0x0000000007511000-memory.dmpFilesize
4KB
-
memory/4820-135-0x0000000007512000-0x0000000007513000-memory.dmpFilesize
4KB
-
memory/4820-136-0x0000000007513000-0x0000000007514000-memory.dmpFilesize
4KB
-
memory/4820-137-0x0000000007520000-0x0000000007AC4000-memory.dmpFilesize
5.6MB
-
memory/4820-142-0x0000000007430000-0x0000000007442000-memory.dmpFilesize
72KB
-
memory/4820-150-0x0000000008ED0000-0x0000000009092000-memory.dmpFilesize
1.8MB
-
memory/4820-151-0x00000000090A0000-0x00000000095CC000-memory.dmpFilesize
5.2MB
-
memory/4820-131-0x0000000004870000-0x00000000048A9000-memory.dmpFilesize
228KB
-
memory/4820-149-0x0000000008CF0000-0x0000000008D0E000-memory.dmpFilesize
120KB
-
memory/4820-143-0x00000000080F0000-0x00000000081FA000-memory.dmpFilesize
1.0MB
-
memory/4820-144-0x0000000007470000-0x00000000074AC000-memory.dmpFilesize
240KB
-
memory/4820-130-0x0000000004840000-0x000000000486B000-memory.dmpFilesize
172KB
-
memory/4820-146-0x0000000008480000-0x00000000084E6000-memory.dmpFilesize
408KB
-
memory/4820-147-0x0000000008B20000-0x0000000008BB2000-memory.dmpFilesize
584KB
-
memory/4820-148-0x0000000008BD0000-0x0000000008C46000-memory.dmpFilesize
472KB
-
memory/4988-138-0x00000214C4720000-0x00000214C4730000-memory.dmpFilesize
64KB
-
memory/4988-139-0x00000214C4780000-0x00000214C4790000-memory.dmpFilesize
64KB
-
memory/4988-141-0x00000214C6E40000-0x00000214C6E44000-memory.dmpFilesize
16KB