Analysis
-
max time kernel
4294178s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20220223-en -
submitted
25-02-2022 12:39
Static task
static1
Behavioral task
behavioral1
Sample
30fb56d8d4977c094901fea9e4d8d57692b3dd09e8b547ce38fdacee3385ffe8.exe
Resource
win7-20220223-en
Behavioral task
behavioral2
Sample
30fb56d8d4977c094901fea9e4d8d57692b3dd09e8b547ce38fdacee3385ffe8.exe
Resource
win10v2004-en-20220112
General
-
Target
30fb56d8d4977c094901fea9e4d8d57692b3dd09e8b547ce38fdacee3385ffe8.exe
-
Size
7.8MB
-
MD5
20ba712dce269dffcfdc7799efd1a36f
-
SHA1
e8ae85628d28b5a6d28e02cdd8b20037ed498914
-
SHA256
30fb56d8d4977c094901fea9e4d8d57692b3dd09e8b547ce38fdacee3385ffe8
-
SHA512
819ce30b2babf3bbd4aa3bddcf39d17e3084f107a65fb4c0f99af17791cf0c8cd3be8ac139d6f6bacd75bf5d1160e91c952a9677b58df50c53ed84133e8a493e
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
30fb56d8d4977c094901fea9e4d8d57692b3dd09e8b547ce38fdacee3385ffe8.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Control Panel\International\Geo\Nation 30fb56d8d4977c094901fea9e4d8d57692b3dd09e8b547ce38fdacee3385ffe8.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 660 1140 WerFault.exe 30fb56d8d4977c094901fea9e4d8d57692b3dd09e8b547ce38fdacee3385ffe8.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 660 WerFault.exe 660 WerFault.exe 660 WerFault.exe 660 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 660 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
30fb56d8d4977c094901fea9e4d8d57692b3dd09e8b547ce38fdacee3385ffe8.exedescription pid process target process PID 1140 wrote to memory of 660 1140 30fb56d8d4977c094901fea9e4d8d57692b3dd09e8b547ce38fdacee3385ffe8.exe WerFault.exe PID 1140 wrote to memory of 660 1140 30fb56d8d4977c094901fea9e4d8d57692b3dd09e8b547ce38fdacee3385ffe8.exe WerFault.exe PID 1140 wrote to memory of 660 1140 30fb56d8d4977c094901fea9e4d8d57692b3dd09e8b547ce38fdacee3385ffe8.exe WerFault.exe PID 1140 wrote to memory of 660 1140 30fb56d8d4977c094901fea9e4d8d57692b3dd09e8b547ce38fdacee3385ffe8.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\30fb56d8d4977c094901fea9e4d8d57692b3dd09e8b547ce38fdacee3385ffe8.exe"C:\Users\Admin\AppData\Local\Temp\30fb56d8d4977c094901fea9e4d8d57692b3dd09e8b547ce38fdacee3385ffe8.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1140 -s 5362⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken