8b50aba5f2c5168c3ae542628b651f0046307ce3492a488503511e841d42dc6e

Analysis

max time kernel
91s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
06/11/2022, 06:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b50aba5f2c5168c3ae542628b651f0046307ce3492a488503511e841d42dc6e.exe
Size

621KB
MD5

00988cb62318f2cc2c3f65b03853cb00
SHA1

8942dfae48af4a6692eecf2ccea82f903f73b55d
SHA256

8b50aba5f2c5168c3ae542628b651f0046307ce3492a488503511e841d42dc6e
SHA512

486b85e9f2bc4cdc74dd5d4a733ee0c821bc456231e2ac93b160e9adb6b12b1734123e17460412af601b3c103671fbf20ca77cdb8a50c0d8787cba0c3577e2c0
SSDEEP

12288:G3HbZDr8tP35P/v1KIsvCn2mqFOWwuiH8baSPp5nh9xWSsnJ8SrRhGYkFzggPQ:+StVX1KIfnVqFOWwuiH8baSVgnJ8SrRn

Score

7^/10

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8b50aba5f2c5168c3ae542628b651f0046307ce3492a488503511e841d42dc6e.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
844	4884	WerFault.exe	82
816	1208	WerFault.exe	85
3592	1512	WerFault.exe	86

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\	8b50aba5f2c5168c3ae542628b651f0046307ce3492a488503511e841d42dc6e.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4884	8b50aba5f2c5168c3ae542628b651f0046307ce3492a488503511e841d42dc6e.exe
4884	8b50aba5f2c5168c3ae542628b651f0046307ce3492a488503511e841d42dc6e.exe

Suspicious use of UnmapMainImage 3 IoCs

pid	Process
4884	8b50aba5f2c5168c3ae542628b651f0046307ce3492a488503511e841d42dc6e.exe
1208	8b50aba5f2c5168c3ae542628b651f0046307ce3492a488503511e841d42dc6e.exe
1512	8b50aba5f2c5168c3ae542628b651f0046307ce3492a488503511e841d42dc6e.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4884 wrote to memory of 1208	4884	8b50aba5f2c5168c3ae542628b651f0046307ce3492a488503511e841d42dc6e.exe	85
PID 4884 wrote to memory of 1208	4884	8b50aba5f2c5168c3ae542628b651f0046307ce3492a488503511e841d42dc6e.exe	85
PID 4884 wrote to memory of 1208	4884	8b50aba5f2c5168c3ae542628b651f0046307ce3492a488503511e841d42dc6e.exe	85
PID 4884 wrote to memory of 1512	4884	8b50aba5f2c5168c3ae542628b651f0046307ce3492a488503511e841d42dc6e.exe	86
PID 4884 wrote to memory of 1512	4884	8b50aba5f2c5168c3ae542628b651f0046307ce3492a488503511e841d42dc6e.exe	86
PID 4884 wrote to memory of 1512	4884	8b50aba5f2c5168c3ae542628b651f0046307ce3492a488503511e841d42dc6e.exe	86

C:\Users\Admin\AppData\Local\Temp\8b50aba5f2c5168c3ae542628b651f0046307ce3492a488503511e841d42dc6e.exe
"C:\Users\Admin\AppData\Local\Temp\8b50aba5f2c5168c3ae542628b651f0046307ce3492a488503511e841d42dc6e.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4884
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 488
  2⤵
  - Program crash
  PID:844
- C:\Users\Admin\AppData\Local\Temp\8b50aba5f2c5168c3ae542628b651f0046307ce3492a488503511e841d42dc6e.exe
  start
  2⤵
  - Checks BIOS information in registry
  - Enumerates system info in registry
  - Suspicious use of UnmapMainImage
  PID:1208
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1208 -s 488
    3⤵
    - Program crash
    PID:816
- C:\Users\Admin\AppData\Local\Temp\8b50aba5f2c5168c3ae542628b651f0046307ce3492a488503511e841d42dc6e.exe
  watch
  2⤵
  - Suspicious use of UnmapMainImage
  PID:1512
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 488
    3⤵
    - Program crash
    PID:3592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4884 -ip 4884
1⤵
PID:4724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1208 -ip 1208
1⤵
PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1512 -ip 1512
1⤵
PID:3632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1208-137-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1208-139-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1512-138-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1512-140-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4884-132-0x000000007FE30000-0x000000007FE49000-memory.dmp

Filesize
100KB

Download
memory/4884-133-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4884-136-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download