Analysis
-
max time kernel
167s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25-06-2022 05:17
Static task
static1
Behavioral task
behavioral1
Sample
48169d26f0752a5bb08334a4a41bbd2cc890c326fc0115e3b9ac1db6f9741930.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
48169d26f0752a5bb08334a4a41bbd2cc890c326fc0115e3b9ac1db6f9741930.exe
Resource
win10v2004-20220414-en
General
-
Target
48169d26f0752a5bb08334a4a41bbd2cc890c326fc0115e3b9ac1db6f9741930.exe
-
Size
253KB
-
MD5
5c86e45799654b4ff55e5f84d4a483e2
-
SHA1
f840b9b62d1b4c8072883876edf03a2274323a7f
-
SHA256
48169d26f0752a5bb08334a4a41bbd2cc890c326fc0115e3b9ac1db6f9741930
-
SHA512
c91c1240567eeace40e1cc37580b729fe43040b370b13a7a247c0c706478290855745397cb0f8ba6e79a58b552f66ea2e75fc8f3dd494359776d2e7b978164cf
Malware Config
Extracted
buer
https://95.217.81.68/
http://95.217.81.68:8080/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\ErrorResponder\\errorResponder.exe\"" errorResponder.exe -
resource yara_rule behavioral2/memory/4224-131-0x0000000000480000-0x000000000048A000-memory.dmp buer behavioral2/memory/4224-132-0x0000000040000000-0x00000000442DB000-memory.dmp buer behavioral2/memory/4224-134-0x0000000040000000-0x00000000442DB000-memory.dmp buer behavioral2/memory/3692-139-0x0000000040000000-0x00000000442DB000-memory.dmp buer behavioral2/memory/4224-140-0x0000000040000000-0x00000000442DB000-memory.dmp buer -
Executes dropped EXE 1 IoCs
pid Process 3692 errorResponder.exe -
Program crash 3 IoCs
pid pid_target Process procid_target 4404 4224 WerFault.exe 79 1528 4224 WerFault.exe 79 3144 2892 WerFault.exe 93 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3692 errorResponder.exe 3692 errorResponder.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 4224 wrote to memory of 3692 4224 48169d26f0752a5bb08334a4a41bbd2cc890c326fc0115e3b9ac1db6f9741930.exe 87 PID 4224 wrote to memory of 3692 4224 48169d26f0752a5bb08334a4a41bbd2cc890c326fc0115e3b9ac1db6f9741930.exe 87 PID 4224 wrote to memory of 3692 4224 48169d26f0752a5bb08334a4a41bbd2cc890c326fc0115e3b9ac1db6f9741930.exe 87 PID 3692 wrote to memory of 2892 3692 errorResponder.exe 93 PID 3692 wrote to memory of 2892 3692 errorResponder.exe 93 PID 3692 wrote to memory of 2892 3692 errorResponder.exe 93 PID 3692 wrote to memory of 2892 3692 errorResponder.exe 93 PID 3692 wrote to memory of 2892 3692 errorResponder.exe 93 PID 3692 wrote to memory of 2892 3692 errorResponder.exe 93 PID 3692 wrote to memory of 2892 3692 errorResponder.exe 93 PID 3692 wrote to memory of 2892 3692 errorResponder.exe 93 PID 3692 wrote to memory of 2892 3692 errorResponder.exe 93 PID 3692 wrote to memory of 2892 3692 errorResponder.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\48169d26f0752a5bb08334a4a41bbd2cc890c326fc0115e3b9ac1db6f9741930.exe"C:\Users\Admin\AppData\Local\Temp\48169d26f0752a5bb08334a4a41bbd2cc890c326fc0115e3b9ac1db6f9741930.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4224 -
C:\ProgramData\ErrorResponder\errorResponder.exeC:\ProgramData\ErrorResponder\errorResponder.exe "C:\Users\Admin\AppData\Local\Temp\48169d26f0752a5bb08334a4a41bbd2cc890c326fc0115e3b9ac1db6f9741930.exe" ensgJJ2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Windows\SysWOW64\secinit.exeC:\ProgramData\ErrorResponder\errorResponder.exe3⤵PID:2892
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 2724⤵
- Program crash
PID:3144
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 4402⤵
- Program crash
PID:4404
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 4722⤵
- Program crash
PID:1528
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4224 -ip 42241⤵PID:2020
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4224 -ip 42241⤵PID:4356
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2892 -ip 28921⤵PID:3536
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
253KB
MD55c86e45799654b4ff55e5f84d4a483e2
SHA1f840b9b62d1b4c8072883876edf03a2274323a7f
SHA25648169d26f0752a5bb08334a4a41bbd2cc890c326fc0115e3b9ac1db6f9741930
SHA512c91c1240567eeace40e1cc37580b729fe43040b370b13a7a247c0c706478290855745397cb0f8ba6e79a58b552f66ea2e75fc8f3dd494359776d2e7b978164cf
-
Filesize
253KB
MD55c86e45799654b4ff55e5f84d4a483e2
SHA1f840b9b62d1b4c8072883876edf03a2274323a7f
SHA25648169d26f0752a5bb08334a4a41bbd2cc890c326fc0115e3b9ac1db6f9741930
SHA512c91c1240567eeace40e1cc37580b729fe43040b370b13a7a247c0c706478290855745397cb0f8ba6e79a58b552f66ea2e75fc8f3dd494359776d2e7b978164cf