Overview

overview

10

Static

static

939b09df23...3c.exe

windows7-x64

10

939b09df23...3c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/11/2022, 05:14

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    939b09df231a097d8c4a24a0f2696643238d1c6aff7352ba379500433258a53c.exe

  • Size

    679KB

  • MD5

    a71af56de1cf828d40fc2003f8aa2925

  • SHA1

    9a1b75cac9a9a821f229b2bd576cfca85ffe7426

  • SHA256

    939b09df231a097d8c4a24a0f2696643238d1c6aff7352ba379500433258a53c

  • SHA512

    6b340948834009b79b495a5deb53c17834702f78491b837b9138a2180ca84a67d1dded35148fc50857bea02452c70edb7ddb53bf54b31c47ef62367af79fab23

  • SSDEEP

    12288:jmcDUeKZJL1YwSRlcTVRk9DOzwNDAtPZxdObvKF2Qp:j/orF1dS8z6OUN4PZxw72

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables taskbar notifications via registry modification
    evasion
  • Windows security modification 2 TTPs 8 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Program crash 14 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 5 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\939b09df231a097d8c4a24a0f2696643238d1c6aff7352ba379500433258a53c.exe
    "C:\Users\Admin\AppData\Local\Temp\939b09df231a097d8c4a24a0f2696643238d1c6aff7352ba379500433258a53c.exe"
    1⤵
    • UAC bypass
    • Windows security bypass
    • Windows security modification
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • System policy modification
    PID:3828
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 536
      2⤵
      • Program crash
      PID:4324
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 680
      2⤵
      • Program crash
      PID:4624
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 688
      2⤵
      • Program crash
      PID:2232
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 708
      2⤵
      • Program crash
      PID:3664
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 692
      2⤵
      • Program crash
      PID:1944
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 708
      2⤵
      • Program crash
      PID:308
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 808
      2⤵
      • Program crash
      PID:116
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 852
      2⤵
      • Program crash
      PID:4488
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 852
      2⤵
      • Program crash
      PID:4572
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 1064
      2⤵
      • Program crash
      PID:4100
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 1080
      2⤵
      • Program crash
      PID:2632
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 1316
      2⤵
      • Program crash
      PID:2484
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 832
      2⤵
      • Program crash
      PID:4516
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 820
      2⤵
      • Program crash
      PID:2912
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3828 -ip 3828
    1⤵
      PID:4768
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3828 -ip 3828
      1⤵
        PID:4680
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3828 -ip 3828
        1⤵
          PID:1528
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3828 -ip 3828
          1⤵
            PID:2300
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3828 -ip 3828
            1⤵
              PID:2052
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3828 -ip 3828
              1⤵
                PID:4892
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3828 -ip 3828
                1⤵
                  PID:240
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3828 -ip 3828
                  1⤵
                    PID:1800
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3828 -ip 3828
                    1⤵
                      PID:3860
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3828 -ip 3828
                      1⤵
                        PID:4268
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3828 -ip 3828
                        1⤵
                          PID:3564
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3828 -ip 3828
                          1⤵
                            PID:4688
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3828 -ip 3828
                            1⤵
                              PID:1380
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3828 -ip 3828
                              1⤵
                                PID:1484

                              Network

                                    MITRE ATT&CK Enterprise v6

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • memory/3828-132-0x0000000000400000-0x00000000007C6000-memory.dmp

                                      Filesize

                                      3.8MB

                                      Download

                                    • memory/3828-133-0x00000000008F0000-0x00000000008F3000-memory.dmp

                                      Filesize

                                      12KB

                                      Download

                                    • memory/3828-134-0x0000000000400000-0x00000000007C6000-memory.dmp

                                      Filesize

                                      3.8MB

                                      Download