Analysis
-
max time kernel
143s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
21-02-2022 16:38
Static task
static1
Behavioral task
behavioral1
Sample
RunGame.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
RunGame.exe
Resource
win10v2004-en-20220113
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
RunGame.exe
-
Size
544KB
-
MD5
17f9b91cebebf7572306fd0ba41614d8
-
SHA1
a7c82813a2883fa7ffa096c9d1593dab3295d8f1
-
SHA256
0ffe907b5c97c43c881a2dd2d3208eb040ef2fba3a980fd6893cd8d122947e77
-
SHA512
c19d8f7ac625ffc100b93fa721f4538a80de80e09605d0bc69d69e5493a03831b07d9bc392632ffa79a002192c2796992b127a04b012c87209aabb52bdddab8b
Score
10/10
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
Processes:
WerFault.exeWerFault.exedescription pid process target process PID 2000 created 1396 2000 WerFault.exe RunGame.exe PID 4864 created 1396 4864 WerFault.exe RunGame.exe -
Drops file in Windows directory 6 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2436 1396 WerFault.exe RunGame.exe 4320 1396 WerFault.exe RunGame.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exeWerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
WerFault.exeWerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exeWerFault.exepid process 2436 WerFault.exe 2436 WerFault.exe 4320 WerFault.exe 4320 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
WerFault.exesvchost.exedescription pid process Token: SeRestorePrivilege 2436 WerFault.exe Token: SeBackupPrivilege 2436 WerFault.exe Token: SeShutdownPrivilege 1424 svchost.exe Token: SeCreatePagefilePrivilege 1424 svchost.exe Token: SeShutdownPrivilege 1424 svchost.exe Token: SeCreatePagefilePrivilege 1424 svchost.exe Token: SeShutdownPrivilege 1424 svchost.exe Token: SeCreatePagefilePrivilege 1424 svchost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WerFault.exeWerFault.exedescription pid process target process PID 2000 wrote to memory of 1396 2000 WerFault.exe RunGame.exe PID 2000 wrote to memory of 1396 2000 WerFault.exe RunGame.exe PID 4864 wrote to memory of 1396 4864 WerFault.exe RunGame.exe PID 4864 wrote to memory of 1396 4864 WerFault.exe RunGame.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RunGame.exe"C:\Users\Admin\AppData\Local\Temp\RunGame.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 4442⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 4522⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1396 -ip 13961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1396 -ip 13961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1396-130-0x00000000022E0000-0x0000000002340000-memory.dmpFilesize
384KB
-
memory/1424-131-0x000001C091530000-0x000001C091540000-memory.dmpFilesize
64KB
-
memory/1424-132-0x000001C091590000-0x000001C0915A0000-memory.dmpFilesize
64KB
-
memory/1424-133-0x000001C094270000-0x000001C094274000-memory.dmpFilesize
16KB