Analysis
-
max time kernel
4294180s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
26-03-2022 13:09
Static task
static1
Behavioral task
behavioral1
Sample
8163f7fba4350fc6fb99bf2fd400bac200bba40098d36d6f9d0c059631e09d7b.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
8163f7fba4350fc6fb99bf2fd400bac200bba40098d36d6f9d0c059631e09d7b.exe
Resource
win10v2004-en-20220113
General
-
Target
8163f7fba4350fc6fb99bf2fd400bac200bba40098d36d6f9d0c059631e09d7b.exe
-
Size
1.7MB
-
MD5
bc287b93c1590e6ff76b62f223f25828
-
SHA1
94a2e1a580a1e2543299a417d6c8816e9480bf4b
-
SHA256
8163f7fba4350fc6fb99bf2fd400bac200bba40098d36d6f9d0c059631e09d7b
-
SHA512
7eee027b913fdc3716a57b658de664baad62291a08d2b412d8bacfe1c11749c44bdef6be1a715c211af47a550eee9d26ab02772353d46acae0c8d40a3f122b78
Malware Config
Signatures
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 api.ipify.org 4 api.ipify.org -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
8163f7fba4350fc6fb99bf2fd400bac200bba40098d36d6f9d0c059631e09d7b.exepid Process 1752 8163f7fba4350fc6fb99bf2fd400bac200bba40098d36d6f9d0c059631e09d7b.exe 1752 8163f7fba4350fc6fb99bf2fd400bac200bba40098d36d6f9d0c059631e09d7b.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 1320 1752 WerFault.exe 26 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
8163f7fba4350fc6fb99bf2fd400bac200bba40098d36d6f9d0c059631e09d7b.exedescription pid Process Token: SeDebugPrivilege 1752 8163f7fba4350fc6fb99bf2fd400bac200bba40098d36d6f9d0c059631e09d7b.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
8163f7fba4350fc6fb99bf2fd400bac200bba40098d36d6f9d0c059631e09d7b.exepid Process 1752 8163f7fba4350fc6fb99bf2fd400bac200bba40098d36d6f9d0c059631e09d7b.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
8163f7fba4350fc6fb99bf2fd400bac200bba40098d36d6f9d0c059631e09d7b.exedescription pid Process procid_target PID 1752 wrote to memory of 1320 1752 8163f7fba4350fc6fb99bf2fd400bac200bba40098d36d6f9d0c059631e09d7b.exe 28 PID 1752 wrote to memory of 1320 1752 8163f7fba4350fc6fb99bf2fd400bac200bba40098d36d6f9d0c059631e09d7b.exe 28 PID 1752 wrote to memory of 1320 1752 8163f7fba4350fc6fb99bf2fd400bac200bba40098d36d6f9d0c059631e09d7b.exe 28 PID 1752 wrote to memory of 1320 1752 8163f7fba4350fc6fb99bf2fd400bac200bba40098d36d6f9d0c059631e09d7b.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\8163f7fba4350fc6fb99bf2fd400bac200bba40098d36d6f9d0c059631e09d7b.exe"C:\Users\Admin\AppData\Local\Temp\8163f7fba4350fc6fb99bf2fd400bac200bba40098d36d6f9d0c059631e09d7b.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 13922⤵
- Program crash
PID:1320
-