Analysis
-
max time kernel
146s -
max time network
415s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
07-05-2022 23:08
Static task
static1
Behavioral task
behavioral1
Sample
25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe
Resource
win7-20220414-en
General
-
Target
25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe
-
Size
888KB
-
MD5
02e1fc62335f482e4c2bd663e206736a
-
SHA1
83c2a8c79f0745f977dab0ae1c158292217f94d0
-
SHA256
25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407
-
SHA512
18ba896dc20d86c7e78dc44365391a17457b39b3ec424f99df4f72a5ec536ab7f1fa222f036c0ddb8cda89e5d36bcac73c4325f75c9b0e0a7f079e20e5d8fc8b
Malware Config
Signatures
-
Modifies file permissions 1 TTPs 3 IoCs
Processes:
takeown.exetakeown.exetakeown.exepid process 2680 takeown.exe 3776 takeown.exe 64 takeown.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 5 IoCs
Processes:
25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exedescription ioc process File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini 25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe File created C:\Windows\SysWOW64\GroupPolicy\gpt.ini 25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\User\Registry.pol 25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe File created C:\Windows\SysWOW64\GroupPolicy\User\Registry.pol 25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy 25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe -
Drops file in Windows directory 1 IoCs
Processes:
25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exedescription ioc process File opened for modification C:\Windows\SysWOW64 25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe -
Program crash 6 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3868 1588 WerFault.exe 25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe 2700 1588 WerFault.exe 25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe 2680 1588 WerFault.exe 25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe 4020 1588 WerFault.exe 25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe 3096 1588 WerFault.exe 25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe 1540 1588 WerFault.exe 25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exepid process 1588 25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe 1588 25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe 1588 25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe 1588 25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe 1588 25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe 1588 25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exedescription pid process target process PID 1588 wrote to memory of 1276 1588 25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe cacls.exe PID 1588 wrote to memory of 1276 1588 25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe cacls.exe PID 1588 wrote to memory of 1276 1588 25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe cacls.exe PID 1588 wrote to memory of 2560 1588 25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe svchost.exe PID 1588 wrote to memory of 2560 1588 25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe svchost.exe PID 1588 wrote to memory of 2560 1588 25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe svchost.exe PID 1588 wrote to memory of 2680 1588 25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe takeown.exe PID 1588 wrote to memory of 2680 1588 25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe takeown.exe PID 1588 wrote to memory of 2680 1588 25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe takeown.exe PID 1588 wrote to memory of 2736 1588 25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe cacls.exe PID 1588 wrote to memory of 2736 1588 25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe cacls.exe PID 1588 wrote to memory of 2736 1588 25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe cacls.exe PID 1588 wrote to memory of 4020 1588 25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe cacls.exe PID 1588 wrote to memory of 4020 1588 25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe cacls.exe PID 1588 wrote to memory of 4020 1588 25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe cacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe"C:\Users\Admin\AppData\Local\Temp\25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 7442⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 7522⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 8122⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 8082⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 10802⤵
- Program crash
-
C:\Windows\SysWOW64\cacls.exeC:\Windows\System32\cacls.exe C:\Windows\System32\GroupPolicy /t /e /g Everyone:f2⤵
-
C:\Windows\SysWOW64\cacls.exeC:\Windows\System32\cacls.exe C:\Windows\System32\GroupPolicy /t /e /g все:f2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\System32\takeown.exe /F C:\Windows\System32\GroupPolicy2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cacls.exeC:\Windows\System32\cacls.exe C:\Windows\SysWOW64\GroupPolicy /t /e /g все:f2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\System32\takeown.exe /F C:\Windows\SysWOW64\GroupPolicy2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cacls.exeC:\Windows\System32\cacls.exe C:\Windows\Sysnative\GroupPolicy /t /e /g Everyone:f2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\System32\takeown.exe /F C:\Windows\Sysnative\GroupPolicy2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cacls.exeC:\Windows\System32\cacls.exe C:\Windows\Sysnative\GroupPolicy /t /e /g все:f2⤵
-
C:\Windows\SysWOW64\gpupdate.exeC:\Windows\System32\gpupdate.exe /force2⤵
-
C:\Windows\SysWOW64\cacls.exeC:\Windows\System32\cacls.exe C:\Windows\SysWOW64\GroupPolicy /t /e /g Everyone:f2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 7682⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1588 -ip 15881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1588 -ip 15881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1588 -ip 15881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1588 -ip 15881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1588 -ip 15881⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1588 -ip 15881⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\GroupPolicy\User\Registry.polFilesize
472B
MD562ce4006ac00215377752dfaf25e20ae
SHA17e5b3b70613aa4dc1e71431e0855a47c7ee75cd2
SHA2561bb0208258be631a21cfed8166a49ee9467dfba8962a2f85361ce365e48f6962
SHA512d79b826cd909ec15128bfe898064854ca043171db3e55b961e0a55754567da62bc57eb9cc2a994b2e0c14b3be49707aff080df886d303de229643da47acbdaeb
-
C:\Windows\SysWOW64\GroupPolicy\gpt.iniFilesize
155B
MD5b18af26ec9d74dd4bfd14fd79a655c1d
SHA1df4c28816bc845a34d434347c10c6d14fcafdd01
SHA256ea62b60ea16af53841f2088458910586186bd3130d6dad443a27906f7baee7c9
SHA512bc64d120a55e93a17e81349a5a9856556612a44673ae9ae8589a66638e25685b9b70608ce23b19e0919797b04da40dbca5cdc87c7f6eb1bfb93307dc4bc74ff2
-
memory/64-142-0x0000000000000000-mapping.dmp
-
memory/1276-132-0x0000000000000000-mapping.dmp
-
memory/1316-141-0x0000000000000000-mapping.dmp
-
memory/1588-131-0x0000000000400000-0x00000000004D6000-memory.dmpFilesize
856KB
-
memory/1588-130-0x0000000002170000-0x00000000021B3000-memory.dmpFilesize
268KB
-
memory/2560-133-0x0000000000000000-mapping.dmp
-
memory/2576-140-0x0000000000000000-mapping.dmp
-
memory/2680-134-0x0000000000000000-mapping.dmp
-
memory/2736-135-0x0000000000000000-mapping.dmp
-
memory/3100-143-0x0000000000000000-mapping.dmp
-
memory/3776-139-0x0000000000000000-mapping.dmp
-
memory/4020-138-0x0000000000000000-mapping.dmp