Analysis
-
max time kernel
130s -
max time network
177s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
21-02-2022 11:26
Static task
static1
Behavioral task
behavioral1
Sample
Materials.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Materials.exe
Resource
win10v2004-en-20220113
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
Materials.exe
-
Size
357KB
-
MD5
8bd9a34cf06fa228b4ccd401808723cc
-
SHA1
e17daeaf2e0dcfdbaf026866c00fefb0beb47520
-
SHA256
38f3aadc65df16aed9f5bbaa5f42598d3fd9b29811429fcddd679a40b092fca0
-
SHA512
3d3ac1d0d90125fba07ca8a6fe0bb75a95b47b1caf177854b9e476aede2cefe396c68bb68c7dde0e32b22a740708aa3f23dd3726f3789504b83fd0b195c0479e
Score
10/10
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 4764 created 4444 4764 WerFault.exe Materials.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Materials.exedescription pid process target process PID 1836 set thread context of 4444 1836 Materials.exe Materials.exe -
Drops file in Windows directory 6 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1564 4444 WerFault.exe Materials.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
WerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
WerFault.exepid process 1564 WerFault.exe 1564 WerFault.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Materials.exepid process 1836 Materials.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
WerFault.exesvchost.exedescription pid process Token: SeRestorePrivilege 1564 WerFault.exe Token: SeBackupPrivilege 1564 WerFault.exe Token: SeShutdownPrivilege 4952 svchost.exe Token: SeCreatePagefilePrivilege 4952 svchost.exe Token: SeShutdownPrivilege 4952 svchost.exe Token: SeCreatePagefilePrivilege 4952 svchost.exe Token: SeShutdownPrivilege 4952 svchost.exe Token: SeCreatePagefilePrivilege 4952 svchost.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Materials.exeWerFault.exedescription pid process target process PID 1836 wrote to memory of 4648 1836 Materials.exe cmd.exe PID 1836 wrote to memory of 4648 1836 Materials.exe cmd.exe PID 1836 wrote to memory of 4648 1836 Materials.exe cmd.exe PID 1836 wrote to memory of 4592 1836 Materials.exe cmd.exe PID 1836 wrote to memory of 4592 1836 Materials.exe cmd.exe PID 1836 wrote to memory of 4592 1836 Materials.exe cmd.exe PID 1836 wrote to memory of 4444 1836 Materials.exe Materials.exe PID 1836 wrote to memory of 4444 1836 Materials.exe Materials.exe PID 1836 wrote to memory of 4444 1836 Materials.exe Materials.exe PID 1836 wrote to memory of 4444 1836 Materials.exe Materials.exe PID 4764 wrote to memory of 4444 4764 WerFault.exe Materials.exe PID 4764 wrote to memory of 4444 4764 WerFault.exe Materials.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Materials.exe"C:\Users\Admin\AppData\Local\Temp\Materials.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:4648
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:4592
-
C:\Users\Admin\AppData\Local\Temp\Materials.exe"C:\Users\Admin\AppData\Local\Temp\Materials.exe"2⤵PID:4444
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 243⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1564
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4444 -ip 44441⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:4764
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4952
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1836-133-0x000000000054D000-0x0000000000550000-memory.dmpFilesize
12KB
-
memory/4952-134-0x0000021EE6560000-0x0000021EE6570000-memory.dmpFilesize
64KB
-
memory/4952-135-0x0000021EE6B20000-0x0000021EE6B30000-memory.dmpFilesize
64KB
-
memory/4952-136-0x0000021EE9190000-0x0000021EE9194000-memory.dmpFilesize
16KB