Analysis
-
max time kernel
139s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
15-02-2022 04:25
Static task
static1
Behavioral task
behavioral1
Sample
fe366d465529880c7acc45f37268f9013172008ff3b5903c3aecfc90b08a80a7.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
fe366d465529880c7acc45f37268f9013172008ff3b5903c3aecfc90b08a80a7.exe
Resource
win10v2004-en-20220113
General
-
Target
fe366d465529880c7acc45f37268f9013172008ff3b5903c3aecfc90b08a80a7.exe
-
Size
1.4MB
-
MD5
921e404df10785d495eb902bc95edea2
-
SHA1
f5b83383a848666aa1c86452cb7145d6d5b0a381
-
SHA256
fe366d465529880c7acc45f37268f9013172008ff3b5903c3aecfc90b08a80a7
-
SHA512
efad99adf754418a2a25dfdd35e7da95ae3284bfc18781575c4050c7b403d3d4de21c6b29d42b82af79ddff3c983d68285c0be64d4cdcc9aa62610081fe4b469
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
description pid Process procid_target PID 4012 created 1036 4012 WerFault.exe 81 PID 1128 created 1036 1128 WerFault.exe 81 -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 4616 1036 WerFault.exe 81 1008 1036 WerFault.exe 81 -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4616 WerFault.exe 4616 WerFault.exe 1008 WerFault.exe 1008 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1036 fe366d465529880c7acc45f37268f9013172008ff3b5903c3aecfc90b08a80a7.exe Token: SeShutdownPrivilege 4612 svchost.exe Token: SeCreatePagefilePrivilege 4612 svchost.exe Token: SeShutdownPrivilege 4612 svchost.exe Token: SeCreatePagefilePrivilege 4612 svchost.exe Token: SeShutdownPrivilege 4612 svchost.exe Token: SeCreatePagefilePrivilege 4612 svchost.exe Token: SeSecurityPrivilege 4736 TiWorker.exe Token: SeRestorePrivilege 4736 TiWorker.exe Token: SeBackupPrivilege 4736 TiWorker.exe Token: SeBackupPrivilege 4736 TiWorker.exe Token: SeRestorePrivilege 4736 TiWorker.exe Token: SeSecurityPrivilege 4736 TiWorker.exe Token: SeBackupPrivilege 4736 TiWorker.exe Token: SeRestorePrivilege 4736 TiWorker.exe Token: SeSecurityPrivilege 4736 TiWorker.exe Token: SeBackupPrivilege 4736 TiWorker.exe Token: SeRestorePrivilege 4736 TiWorker.exe Token: SeSecurityPrivilege 4736 TiWorker.exe Token: SeBackupPrivilege 4736 TiWorker.exe Token: SeRestorePrivilege 4736 TiWorker.exe Token: SeSecurityPrivilege 4736 TiWorker.exe Token: SeBackupPrivilege 4736 TiWorker.exe Token: SeRestorePrivilege 4736 TiWorker.exe Token: SeSecurityPrivilege 4736 TiWorker.exe Token: SeBackupPrivilege 4736 TiWorker.exe Token: SeRestorePrivilege 4736 TiWorker.exe Token: SeSecurityPrivilege 4736 TiWorker.exe Token: SeBackupPrivilege 4736 TiWorker.exe Token: SeRestorePrivilege 4736 TiWorker.exe Token: SeSecurityPrivilege 4736 TiWorker.exe Token: SeBackupPrivilege 4736 TiWorker.exe Token: SeRestorePrivilege 4736 TiWorker.exe Token: SeSecurityPrivilege 4736 TiWorker.exe Token: SeBackupPrivilege 4736 TiWorker.exe Token: SeRestorePrivilege 4736 TiWorker.exe Token: SeSecurityPrivilege 4736 TiWorker.exe Token: SeBackupPrivilege 4736 TiWorker.exe Token: SeRestorePrivilege 4736 TiWorker.exe Token: SeSecurityPrivilege 4736 TiWorker.exe Token: SeBackupPrivilege 4736 TiWorker.exe Token: SeRestorePrivilege 4736 TiWorker.exe Token: SeSecurityPrivilege 4736 TiWorker.exe Token: SeBackupPrivilege 4736 TiWorker.exe Token: SeRestorePrivilege 4736 TiWorker.exe Token: SeSecurityPrivilege 4736 TiWorker.exe Token: SeBackupPrivilege 4736 TiWorker.exe Token: SeRestorePrivilege 4736 TiWorker.exe Token: SeSecurityPrivilege 4736 TiWorker.exe Token: SeBackupPrivilege 4736 TiWorker.exe Token: SeRestorePrivilege 4736 TiWorker.exe Token: SeSecurityPrivilege 4736 TiWorker.exe Token: SeBackupPrivilege 4736 TiWorker.exe Token: SeRestorePrivilege 4736 TiWorker.exe Token: SeSecurityPrivilege 4736 TiWorker.exe Token: SeBackupPrivilege 4736 TiWorker.exe Token: SeRestorePrivilege 4736 TiWorker.exe Token: SeSecurityPrivilege 4736 TiWorker.exe Token: SeBackupPrivilege 4736 TiWorker.exe Token: SeRestorePrivilege 4736 TiWorker.exe Token: SeSecurityPrivilege 4736 TiWorker.exe Token: SeBackupPrivilege 4736 TiWorker.exe Token: SeRestorePrivilege 4736 TiWorker.exe Token: SeSecurityPrivilege 4736 TiWorker.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4012 wrote to memory of 1036 4012 WerFault.exe 81 PID 4012 wrote to memory of 1036 4012 WerFault.exe 81 PID 1128 wrote to memory of 1036 1128 WerFault.exe 81 PID 1128 wrote to memory of 1036 1128 WerFault.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe366d465529880c7acc45f37268f9013172008ff3b5903c3aecfc90b08a80a7.exe"C:\Users\Admin\AppData\Local\Temp\fe366d465529880c7acc45f37268f9013172008ff3b5903c3aecfc90b08a80a7.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1036 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1036 -s 11722⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:4616
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1036 -s 11882⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:1008
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 428 -p 1036 -ip 10361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:4012
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 560 -p 1036 -ip 10361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:1128
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4612
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4736