Analysis

  • max time kernel
    128s
  • max time network
    133s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    28-02-2022 03:21

General

  • Target

    fa1bc7d6f03a49af50f7153814a078a32f24f353c9cb2b8e3f329888f2b37a6e.exe

  • Size

    365KB

  • MD5

    2371d432700a7e1f9c070a6e97fdb634

  • SHA1

    00d6c66ab2fd1810628d13980cc73275884933b1

  • SHA256

    fa1bc7d6f03a49af50f7153814a078a32f24f353c9cb2b8e3f329888f2b37a6e

  • SHA512

    423e76393e65defab5cdaef0c2a3249cadfbd3413d6763db8428e3a6a13e2a880c6a93cba35cf783ccc126b26bcd3e6ad6bf3059be94ca0d3798b75b51c4e7e5

Score
10/10

Malware Config

Signatures

  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fa1bc7d6f03a49af50f7153814a078a32f24f353c9cb2b8e3f329888f2b37a6e.exe
    "C:\Users\Admin\AppData\Local\Temp\fa1bc7d6f03a49af50f7153814a078a32f24f353c9cb2b8e3f329888f2b37a6e.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2772
    • C:\Users\Admin\AppData\Local\Temp\fa1bc7d6f03a49af50f7153814a078a32f24f353c9cb2b8e3f329888f2b37a6e.exe
      "C:\Users\Admin\AppData\Local\Temp\fa1bc7d6f03a49af50f7153814a078a32f24f353c9cb2b8e3f329888f2b37a6e.exe"
      2⤵
        PID:2024
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 184
          3⤵
          • Drops file in Windows directory
          • Program crash
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3496
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2024 -ip 2024
      1⤵
      • Suspicious use of NtCreateProcessExOtherParentProcess
      • Suspicious use of WriteProcessMemory
      PID:4916

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2024-140-0x0000000000180000-0x000000000018B000-memory.dmp

      Filesize

      44KB

    • memory/2772-130-0x0000000000590000-0x00000000005F0000-memory.dmp

      Filesize

      384KB

    • memory/2772-131-0x00000000054D0000-0x0000000005A74000-memory.dmp

      Filesize

      5.6MB

    • memory/2772-132-0x0000000004FC0000-0x0000000005052000-memory.dmp

      Filesize

      584KB

    • memory/2772-133-0x00000000749DE000-0x00000000749DF000-memory.dmp

      Filesize

      4KB

    • memory/2772-134-0x0000000005060000-0x00000000050FC000-memory.dmp

      Filesize

      624KB

    • memory/2772-135-0x0000000005450000-0x000000000545A000-memory.dmp

      Filesize

      40KB

    • memory/2772-136-0x00000000051C0000-0x00000000051C1000-memory.dmp

      Filesize

      4KB

    • memory/2772-137-0x00000000051C1000-0x00000000051C2000-memory.dmp

      Filesize

      4KB

    • memory/2772-138-0x0000000008300000-0x0000000008322000-memory.dmp

      Filesize

      136KB