Analysis

  • max time kernel
    139s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    15-02-2022 04:25

General

  • Target

    fe366d465529880c7acc45f37268f9013172008ff3b5903c3aecfc90b08a80a7.exe

  • Size

    1.4MB

  • MD5

    921e404df10785d495eb902bc95edea2

  • SHA1

    f5b83383a848666aa1c86452cb7145d6d5b0a381

  • SHA256

    fe366d465529880c7acc45f37268f9013172008ff3b5903c3aecfc90b08a80a7

  • SHA512

    efad99adf754418a2a25dfdd35e7da95ae3284bfc18781575c4050c7b403d3d4de21c6b29d42b82af79ddff3c983d68285c0be64d4cdcc9aa62610081fe4b469

Score
10/10

Malware Config

Signatures

  • Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
  • Drops file in Windows directory 8 IoCs
  • Program crash 2 IoCs
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fe366d465529880c7acc45f37268f9013172008ff3b5903c3aecfc90b08a80a7.exe
    "C:\Users\Admin\AppData\Local\Temp\fe366d465529880c7acc45f37268f9013172008ff3b5903c3aecfc90b08a80a7.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1036
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1036 -s 1172
      2⤵
      • Program crash
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:4616
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1036 -s 1188
      2⤵
      • Program crash
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:1008
  • C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -pss -s 428 -p 1036 -ip 1036
    1⤵
    • Suspicious use of NtCreateProcessExOtherParentProcess
    • Suspicious use of WriteProcessMemory
    PID:4012
  • C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -pss -s 560 -p 1036 -ip 1036
    1⤵
    • Suspicious use of NtCreateProcessExOtherParentProcess
    • Suspicious use of WriteProcessMemory
    PID:1128
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:4612
  • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
    C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:4736

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1036-130-0x00007FFCDD9A3000-0x00007FFCDD9A5000-memory.dmp

    Filesize

    8KB

  • memory/1036-131-0x000001C2F5740000-0x000001C2F5742000-memory.dmp

    Filesize

    8KB

  • memory/1036-132-0x000001C2F5743000-0x000001C2F5745000-memory.dmp

    Filesize

    8KB

  • memory/1036-133-0x000001C2F5746000-0x000001C2F5747000-memory.dmp

    Filesize

    4KB

  • memory/1036-134-0x000001C2F5747000-0x000001C2F5748000-memory.dmp

    Filesize

    4KB

  • memory/1036-135-0x000001C2F5748000-0x000001C2F574A000-memory.dmp

    Filesize

    8KB

  • memory/4612-136-0x000001FADB170000-0x000001FADB180000-memory.dmp

    Filesize

    64KB

  • memory/4612-137-0x000001FADB720000-0x000001FADB730000-memory.dmp

    Filesize

    64KB

  • memory/4612-138-0x000001FADDDF0000-0x000001FADDDF4000-memory.dmp

    Filesize

    16KB