Analysis
-
max time kernel
113s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
01-03-2022 07:35
General
-
Target
sample.exe
-
Size
141KB
-
MD5
1c2af6c5e1b8b87189b5da7bd3cefe30
-
SHA1
6881acb4f1401f0db02bbebe82e2381a0b7c447d
-
SHA256
cf0705a3e4f3690e28184eb019a4940e7291ce5b3d52747ff80b72e90922a89b
-
SHA512
1f391111cbeb12f892c272076111a8317b98c9eda4bbf12eefb7a47bcc1a327b43310739a301718b700dc2ce28339b00533f2c9eda1f06ffff21f30d69ce6362
Score
10/10
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
-
Program crash 1 IoCs
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\sample.exe"C:\Users\Admin\AppData\Local\Temp\sample.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4440 -s 9442⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 408 -p 4440 -ip 44401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4440-130-0x00000208F5640000-0x00000208F566A000-memory.dmpFilesize
168KB
-
memory/4440-131-0x00007FF8F1E13000-0x00007FF8F1E15000-memory.dmpFilesize
8KB
-
memory/4440-132-0x00000208F75E0000-0x00000208F75E2000-memory.dmpFilesize
8KB
-
memory/4440-133-0x00000208F5C20000-0x00000208F5C21000-memory.dmpFilesize
4KB