Overview

overview

10

Static

static

242f71efe5...81.exe

windows7-x64

10

242f71efe5...81.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    161s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/10/2022, 01:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    242f71efe520252393f15e38567c7161d0696fa910abc8d365b2d8fd38b3bf81.exe

  • Size

    603KB

  • MD5

    922b4bd1ebb57a05a8a3768d9d3d9b00

  • SHA1

    4b6d4c774329e9e72e47789c838f019fde4cebdd

  • SHA256

    242f71efe520252393f15e38567c7161d0696fa910abc8d365b2d8fd38b3bf81

  • SHA512

    d208fb4af11c0d3a7a8f8718662f9eb6f6e5c929f91a647bc10ee9dfac6aca0a4182eecd64c7fa19043f24cc0d747e60d32429b75cfbee48a3d33d5de46eecae

  • SSDEEP

    12288:tllGx3jvBXvtRlfN7BBAI36MX4TlRrZd1p:t6jZXrTJ34TlRrZd

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables taskbar notifications via registry modification
    evasion
  • Windows security modification 2 TTPs 8 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Program crash 14 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\242f71efe520252393f15e38567c7161d0696fa910abc8d365b2d8fd38b3bf81.exe
    "C:\Users\Admin\AppData\Local\Temp\242f71efe520252393f15e38567c7161d0696fa910abc8d365b2d8fd38b3bf81.exe"
    1⤵
    • UAC bypass
    • Windows security bypass
    • Windows security modification
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • System policy modification
    PID:1260
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 548
      2⤵
      • Program crash
      PID:4800
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 548
      2⤵
      • Program crash
      PID:4476
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 684
      2⤵
      • Program crash
      PID:1708
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 776
      2⤵
      • Program crash
      PID:4756
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 552
      2⤵
      • Program crash
      PID:4396
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 796
      2⤵
      • Program crash
      PID:204
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 800
      2⤵
      • Program crash
      PID:3896
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 680
      2⤵
      • Program crash
      PID:5000
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 1032
      2⤵
      • Program crash
      PID:4196
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 1040
      2⤵
      • Program crash
      PID:4016
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 1096
      2⤵
      • Program crash
      PID:4256
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 1132
      2⤵
      • Program crash
      PID:3988
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 792
      2⤵
      • Program crash
      PID:1316
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 912
      2⤵
      • Program crash
      PID:2608
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1260 -ip 1260
    1⤵
      PID:4880
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1260 -ip 1260
      1⤵
        PID:1320
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1260 -ip 1260
        1⤵
          PID:4404
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1260 -ip 1260
          1⤵
            PID:1360
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1260 -ip 1260
            1⤵
              PID:1640
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1260 -ip 1260
              1⤵
                PID:4400
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1260 -ip 1260
                1⤵
                  PID:3892
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1260 -ip 1260
                  1⤵
                    PID:2540
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 1260 -ip 1260
                    1⤵
                      PID:4836
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1260 -ip 1260
                      1⤵
                        PID:1152
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1260 -ip 1260
                        1⤵
                          PID:4504
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 1260 -ip 1260
                          1⤵
                            PID:2200
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 1260 -ip 1260
                            1⤵
                              PID:1020
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 1260 -ip 1260
                              1⤵
                                PID:2624

                              Network

                              MITRE ATT&CK Enterprise v6

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • memory/1260-132-0x0000000000400000-0x00000000007DD000-memory.dmp

                                Filesize

                                3.9MB

                                Download

                              • memory/1260-133-0x0000000000400000-0x00000000007DD000-memory.dmp

                                Filesize

                                3.9MB

                                Download

                              • memory/1260-134-0x0000000002520000-0x0000000002523000-memory.dmp

                                Filesize

                                12KB

                                Download

                              • memory/1260-135-0x0000000000400000-0x00000000007DD000-memory.dmp

                                Filesize

                                3.9MB

                                Download

                              • memory/1260-136-0x0000000002520000-0x0000000002523000-memory.dmp

                                Filesize

                                12KB

                                Download