fa1bc7d6f03a49af50f7153814a078a32f24f353c9cb2b8e3f329888f2b37a6e

General

Target

fa1bc7d6f03a49af50f7153814a078a32f24f353c9cb2b8e3f329888f2b37a6e.exe
Size

365KB
MD5

2371d432700a7e1f9c070a6e97fdb634
SHA1

00d6c66ab2fd1810628d13980cc73275884933b1
SHA256

fa1bc7d6f03a49af50f7153814a078a32f24f353c9cb2b8e3f329888f2b37a6e
SHA512

423e76393e65defab5cdaef0c2a3249cadfbd3413d6763db8428e3a6a13e2a880c6a93cba35cf783ccc126b26bcd3e6ad6bf3059be94ca0d3798b75b51c4e7e5

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 4916 created 2024 4916 WerFault.exe fa1bc7d6f03a49af50f7153814a078a32f24f353c9cb2b8e3f329888f2b37a6e.exe

description	pid	process	target process
PID 4916 created 2024	4916	WerFault.exe	fa1bc7d6f03a49af50f7153814a078a32f24f353c9cb2b8e3f329888f2b37a6e.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

fa1bc7d6f03a49af50f7153814a078a32f24f353c9cb2b8e3f329888f2b37a6e.exe

description	pid	process	target process
PID 2772 set thread context of 2024	2772	fa1bc7d6f03a49af50f7153814a078a32f24f353c9cb2b8e3f329888f2b37a6e.exe	fa1bc7d6f03a49af50f7153814a078a32f24f353c9cb2b8e3f329888f2b37a6e.exe

Drops file in Windows directory 1 IoCs

Processes:

WerFault.exe

description ioc process

File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3496 2024 WerFault.exe fa1bc7d6f03a49af50f7153814a078a32f24f353c9cb2b8e3f329888f2b37a6e.exe

description	ioc	process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe

pid	pid_target	process	target process
3496	2024	WerFault.exe	fa1bc7d6f03a49af50f7153814a078a32f24f353c9cb2b8e3f329888f2b37a6e.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

fa1bc7d6f03a49af50f7153814a078a32f24f353c9cb2b8e3f329888f2b37a6e.exeWerFault.exe

pid	process
2772	fa1bc7d6f03a49af50f7153814a078a32f24f353c9cb2b8e3f329888f2b37a6e.exe
2772	fa1bc7d6f03a49af50f7153814a078a32f24f353c9cb2b8e3f329888f2b37a6e.exe
2772	fa1bc7d6f03a49af50f7153814a078a32f24f353c9cb2b8e3f329888f2b37a6e.exe
2772	fa1bc7d6f03a49af50f7153814a078a32f24f353c9cb2b8e3f329888f2b37a6e.exe
3496	WerFault.exe
3496	WerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

fa1bc7d6f03a49af50f7153814a078a32f24f353c9cb2b8e3f329888f2b37a6e.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	2772	fa1bc7d6f03a49af50f7153814a078a32f24f353c9cb2b8e3f329888f2b37a6e.exe
Token: SeRestorePrivilege	3496	WerFault.exe
Token: SeBackupPrivilege	3496	WerFault.exe
Token: SeBackupPrivilege	3496	WerFault.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

fa1bc7d6f03a49af50f7153814a078a32f24f353c9cb2b8e3f329888f2b37a6e.exeWerFault.exe

description	pid	process	target process
PID 2772 wrote to memory of 2024	2772	fa1bc7d6f03a49af50f7153814a078a32f24f353c9cb2b8e3f329888f2b37a6e.exe	fa1bc7d6f03a49af50f7153814a078a32f24f353c9cb2b8e3f329888f2b37a6e.exe
PID 2772 wrote to memory of 2024	2772	fa1bc7d6f03a49af50f7153814a078a32f24f353c9cb2b8e3f329888f2b37a6e.exe	fa1bc7d6f03a49af50f7153814a078a32f24f353c9cb2b8e3f329888f2b37a6e.exe
PID 2772 wrote to memory of 2024	2772	fa1bc7d6f03a49af50f7153814a078a32f24f353c9cb2b8e3f329888f2b37a6e.exe	fa1bc7d6f03a49af50f7153814a078a32f24f353c9cb2b8e3f329888f2b37a6e.exe
PID 2772 wrote to memory of 2024	2772	fa1bc7d6f03a49af50f7153814a078a32f24f353c9cb2b8e3f329888f2b37a6e.exe	fa1bc7d6f03a49af50f7153814a078a32f24f353c9cb2b8e3f329888f2b37a6e.exe
PID 2772 wrote to memory of 2024	2772	fa1bc7d6f03a49af50f7153814a078a32f24f353c9cb2b8e3f329888f2b37a6e.exe	fa1bc7d6f03a49af50f7153814a078a32f24f353c9cb2b8e3f329888f2b37a6e.exe
PID 2772 wrote to memory of 2024	2772	fa1bc7d6f03a49af50f7153814a078a32f24f353c9cb2b8e3f329888f2b37a6e.exe	fa1bc7d6f03a49af50f7153814a078a32f24f353c9cb2b8e3f329888f2b37a6e.exe
PID 2772 wrote to memory of 2024	2772	fa1bc7d6f03a49af50f7153814a078a32f24f353c9cb2b8e3f329888f2b37a6e.exe	fa1bc7d6f03a49af50f7153814a078a32f24f353c9cb2b8e3f329888f2b37a6e.exe
PID 2772 wrote to memory of 2024	2772	fa1bc7d6f03a49af50f7153814a078a32f24f353c9cb2b8e3f329888f2b37a6e.exe	fa1bc7d6f03a49af50f7153814a078a32f24f353c9cb2b8e3f329888f2b37a6e.exe
PID 2772 wrote to memory of 2024	2772	fa1bc7d6f03a49af50f7153814a078a32f24f353c9cb2b8e3f329888f2b37a6e.exe	fa1bc7d6f03a49af50f7153814a078a32f24f353c9cb2b8e3f329888f2b37a6e.exe
PID 2772 wrote to memory of 2024	2772	fa1bc7d6f03a49af50f7153814a078a32f24f353c9cb2b8e3f329888f2b37a6e.exe	fa1bc7d6f03a49af50f7153814a078a32f24f353c9cb2b8e3f329888f2b37a6e.exe
PID 4916 wrote to memory of 2024	4916	WerFault.exe	fa1bc7d6f03a49af50f7153814a078a32f24f353c9cb2b8e3f329888f2b37a6e.exe
PID 4916 wrote to memory of 2024	4916	WerFault.exe	fa1bc7d6f03a49af50f7153814a078a32f24f353c9cb2b8e3f329888f2b37a6e.exe

C:\Users\Admin\AppData\Local\Temp\fa1bc7d6f03a49af50f7153814a078a32f24f353c9cb2b8e3f329888f2b37a6e.exe
"C:\Users\Admin\AppData\Local\Temp\fa1bc7d6f03a49af50f7153814a078a32f24f353c9cb2b8e3f329888f2b37a6e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2772

C:\Users\Admin\AppData\Local\Temp\fa1bc7d6f03a49af50f7153814a078a32f24f353c9cb2b8e3f329888f2b37a6e.exe
"C:\Users\Admin\AppData\Local\Temp\fa1bc7d6f03a49af50f7153814a078a32f24f353c9cb2b8e3f329888f2b37a6e.exe"
2⤵
PID:2024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 184
3⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2024 -ip 2024
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:4916

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2024-140-0x0000000000180000-0x000000000018B000-memory.dmp

Filesize
44KB

Download
memory/2772-130-0x0000000000590000-0x00000000005F0000-memory.dmp

Filesize
384KB

Download
memory/2772-131-0x00000000054D0000-0x0000000005A74000-memory.dmp

Filesize
5.6MB

Download
memory/2772-132-0x0000000004FC0000-0x0000000005052000-memory.dmp

Filesize
584KB

Download
memory/2772-133-0x00000000749DE000-0x00000000749DF000-memory.dmp

Filesize
4KB

Download
memory/2772-134-0x0000000005060000-0x00000000050FC000-memory.dmp

Filesize
624KB

Download
memory/2772-135-0x0000000005450000-0x000000000545A000-memory.dmp

Filesize
40KB

Download
memory/2772-136-0x00000000051C0000-0x00000000051C1000-memory.dmp

Filesize
4KB

Download
memory/2772-137-0x00000000051C1000-0x00000000051C2000-memory.dmp

Filesize
4KB

Download
memory/2772-138-0x0000000008300000-0x0000000008322000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads