Analysis
-
max time kernel
134s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
23-02-2022 15:17
Static task
static1
Behavioral task
behavioral1
Sample
5238cb4f38abf64151df3b85f74084abfc98f54cd6244198ce9d86de579a2445.exe
Resource
win7-20220223-en
0 signatures
0 seconds
General
-
Target
5238cb4f38abf64151df3b85f74084abfc98f54cd6244198ce9d86de579a2445.exe
-
Size
346KB
-
MD5
4083b0e75f65d672e4ea31a97d5705ab
-
SHA1
d83783afc8d3c9579f02d2f0fab6f1ec40e117dd
-
SHA256
5238cb4f38abf64151df3b85f74084abfc98f54cd6244198ce9d86de579a2445
-
SHA512
b4236b1fa73aae8c319d9a4ff7066ce171d00a975133ec8e1e01893edb3c8143d05cef2997cee5fd95cff03ad7bf4168c473f9ebea16c39dc53eeeb85ff44716
Malware Config
Extracted
Family
gozi_rm3
rsa_pubkey.base64
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
Processes:
WerFault.exeWerFault.exedescription pid process target process PID 3744 created 2112 3744 WerFault.exe 5238cb4f38abf64151df3b85f74084abfc98f54cd6244198ce9d86de579a2445.exe PID 1180 created 2112 1180 WerFault.exe 5238cb4f38abf64151df3b85f74084abfc98f54cd6244198ce9d86de579a2445.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 368 2112 WerFault.exe 5238cb4f38abf64151df3b85f74084abfc98f54cd6244198ce9d86de579a2445.exe 1212 2112 WerFault.exe 5238cb4f38abf64151df3b85f74084abfc98f54cd6244198ce9d86de579a2445.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exeWerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
WerFault.exeWerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exeWerFault.exepid process 368 WerFault.exe 368 WerFault.exe 1212 WerFault.exe 1212 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 368 WerFault.exe Token: SeBackupPrivilege 368 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WerFault.exeWerFault.exedescription pid process target process PID 3744 wrote to memory of 2112 3744 WerFault.exe 5238cb4f38abf64151df3b85f74084abfc98f54cd6244198ce9d86de579a2445.exe PID 3744 wrote to memory of 2112 3744 WerFault.exe 5238cb4f38abf64151df3b85f74084abfc98f54cd6244198ce9d86de579a2445.exe PID 1180 wrote to memory of 2112 1180 WerFault.exe 5238cb4f38abf64151df3b85f74084abfc98f54cd6244198ce9d86de579a2445.exe PID 1180 wrote to memory of 2112 1180 WerFault.exe 5238cb4f38abf64151df3b85f74084abfc98f54cd6244198ce9d86de579a2445.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5238cb4f38abf64151df3b85f74084abfc98f54cd6244198ce9d86de579a2445.exe"C:\Users\Admin\AppData\Local\Temp\5238cb4f38abf64151df3b85f74084abfc98f54cd6244198ce9d86de579a2445.exe"1⤵PID:2112
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 3082⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:368 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 3482⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:1212
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2112 -ip 21121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:3744
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2112 -ip 21121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:1180