Overview

overview

10

Static

static

10

0baba892c7...07.exe

windows7_x64

3

0baba892c7...07.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    118s
  • max time network
    168s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    12-02-2022 08:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0baba892c72de9fc745662dc974b48df2b2cc4e5526ddb88d5dc03499de6d207.exe

  • Size

    100KB

  • MD5

    6f8d9cf2e6bc9a2551aeca323a539044

  • SHA1

    3e45aa1c19e3776cdccfffa54981b103dfc723b7

  • SHA256

    0baba892c72de9fc745662dc974b48df2b2cc4e5526ddb88d5dc03499de6d207

  • SHA512

    099fd89e84a0d2aef80affbe992e34a29dce996a090d8d0d5b951d12a65c59ba13e87a795bf382fbae84cd6057ed31810ebcd166c97f8749c1da92b9c81df7ae

Score
10/10

Malware Config

Signatures

  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Drops file in Windows directory 8 IoCs
  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0baba892c72de9fc745662dc974b48df2b2cc4e5526ddb88d5dc03499de6d207.exe
    "C:\Users\Admin\AppData\Local\Temp\0baba892c72de9fc745662dc974b48df2b2cc4e5526ddb88d5dc03499de6d207.exe"
    1⤵
      PID:664
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 664 -s 340
        2⤵
        • Program crash
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4748
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 664 -ip 664
      1⤵
      • Suspicious use of NtCreateProcessExOtherParentProcess
      • Suspicious use of WriteProcessMemory
      PID:4464
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
      1⤵
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:1776
    • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
      C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
      1⤵
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:3836

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1776-130-0x00000171F9380000-0x00000171F9390000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1776-131-0x00000171F9B60000-0x00000171F9B70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1776-132-0x00000171FC760000-0x00000171FC764000-memory.dmp

      Filesize

      16KB

      Download