Analysis
-
max time kernel
38s -
max time network
43s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
16-05-2022 02:24
Static task
static1
Behavioral task
behavioral1
Sample
d64cd968677e2d02f1f11edd05d56994eafb6d9687d6e0aa5b98718e24f8c773.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
d64cd968677e2d02f1f11edd05d56994eafb6d9687d6e0aa5b98718e24f8c773.exe
Resource
win10v2004-20220414-en
General
-
Target
d64cd968677e2d02f1f11edd05d56994eafb6d9687d6e0aa5b98718e24f8c773.exe
-
Size
21KB
-
MD5
fb0a226376d060173dea88a60f19661b
-
SHA1
331cc3e10b234ff4b27b9a19cd76516fab3043eb
-
SHA256
d64cd968677e2d02f1f11edd05d56994eafb6d9687d6e0aa5b98718e24f8c773
-
SHA512
e4d978c8f88db943c5602fda998f93ba3d09a6169e7e9f39bd025d86dd21ab985492787e741c5ab207af2c33e988f75f8e7e190d59fb25b8be152dccd550fe88
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1012 1100 WerFault.exe IEXPLORE.EXE -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
IEXPLORE.EXEdescription ioc process File opened for modification \??\PhysicalDrive0 IEXPLORE.EXE -
Suspicious use of SetThreadContext 1 IoCs
Processes:
d64cd968677e2d02f1f11edd05d56994eafb6d9687d6e0aa5b98718e24f8c773.exedescription pid process target process PID 2024 set thread context of 1100 2024 d64cd968677e2d02f1f11edd05d56994eafb6d9687d6e0aa5b98718e24f8c773.exe IEXPLORE.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
IEXPLORE.EXEpid process 1100 IEXPLORE.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
d64cd968677e2d02f1f11edd05d56994eafb6d9687d6e0aa5b98718e24f8c773.exedescription pid process Token: SeIncBasePriorityPrivilege 2024 d64cd968677e2d02f1f11edd05d56994eafb6d9687d6e0aa5b98718e24f8c773.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
d64cd968677e2d02f1f11edd05d56994eafb6d9687d6e0aa5b98718e24f8c773.exeIEXPLORE.EXEdescription pid process target process PID 2024 wrote to memory of 1100 2024 d64cd968677e2d02f1f11edd05d56994eafb6d9687d6e0aa5b98718e24f8c773.exe IEXPLORE.EXE PID 2024 wrote to memory of 1100 2024 d64cd968677e2d02f1f11edd05d56994eafb6d9687d6e0aa5b98718e24f8c773.exe IEXPLORE.EXE PID 2024 wrote to memory of 1100 2024 d64cd968677e2d02f1f11edd05d56994eafb6d9687d6e0aa5b98718e24f8c773.exe IEXPLORE.EXE PID 2024 wrote to memory of 1100 2024 d64cd968677e2d02f1f11edd05d56994eafb6d9687d6e0aa5b98718e24f8c773.exe IEXPLORE.EXE PID 2024 wrote to memory of 1100 2024 d64cd968677e2d02f1f11edd05d56994eafb6d9687d6e0aa5b98718e24f8c773.exe IEXPLORE.EXE PID 2024 wrote to memory of 1100 2024 d64cd968677e2d02f1f11edd05d56994eafb6d9687d6e0aa5b98718e24f8c773.exe IEXPLORE.EXE PID 2024 wrote to memory of 1100 2024 d64cd968677e2d02f1f11edd05d56994eafb6d9687d6e0aa5b98718e24f8c773.exe IEXPLORE.EXE PID 2024 wrote to memory of 1100 2024 d64cd968677e2d02f1f11edd05d56994eafb6d9687d6e0aa5b98718e24f8c773.exe IEXPLORE.EXE PID 1100 wrote to memory of 1012 1100 IEXPLORE.EXE WerFault.exe PID 1100 wrote to memory of 1012 1100 IEXPLORE.EXE WerFault.exe PID 1100 wrote to memory of 1012 1100 IEXPLORE.EXE WerFault.exe PID 1100 wrote to memory of 1012 1100 IEXPLORE.EXE WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d64cd968677e2d02f1f11edd05d56994eafb6d9687d6e0aa5b98718e24f8c773.exe"C:\Users\Admin\AppData\Local\Temp\d64cd968677e2d02f1f11edd05d56994eafb6d9687d6e0aa5b98718e24f8c773.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"2⤵
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 1563⤵
- Program crash