Analysis
-
max time kernel
49s -
max time network
63s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
11-02-2023 04:40
Behavioral task
behavioral1
Sample
6cc7d9664c1a89c58549e57b5959bb38.exe
Resource
win7-20220812-en
windows7-x64
5 signatures
150 seconds
General
-
Target
6cc7d9664c1a89c58549e57b5959bb38.exe
-
Size
2.3MB
-
MD5
6cc7d9664c1a89c58549e57b5959bb38
-
SHA1
85b665c501b9ab38710050e9a5c1b6d2e96acccc
-
SHA256
27c1ed01c767f504642801a7e7a7de8d87dbc87dee88fbc5f6adb99f069afde4
-
SHA512
294ee9c688a22df3d8311d040c56ffd66ae49982d7ad7de044b3b521533e380ced9058a43396fde49bb618db96bd6899c4db3926731df460cb66814f1a3965d9
-
SSDEEP
49152:kHEP1Ytp7MnOYoH7NzvsfZHXlIZELxmuY88jIvnPojMuHmsMtTQpw:GEPuBSONzvsfZ3eCxmQ8cWmsM
Score
6/10
Malware Config
Signatures
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 13 api.db-ip.com 14 api.db-ip.com 6 ipinfo.io -
Drops file in System32 directory 4 IoCs
Processes:
6cc7d9664c1a89c58549e57b5959bb38.exedescription ioc process File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol 6cc7d9664c1a89c58549e57b5959bb38.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI 6cc7d9664c1a89c58549e57b5959bb38.exe File opened for modification C:\Windows\System32\GroupPolicy 6cc7d9664c1a89c58549e57b5959bb38.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini 6cc7d9664c1a89c58549e57b5959bb38.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 584 1872 WerFault.exe 6cc7d9664c1a89c58549e57b5959bb38.exe -
Processes:
6cc7d9664c1a89c58549e57b5959bb38.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 6cc7d9664c1a89c58549e57b5959bb38.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 6cc7d9664c1a89c58549e57b5959bb38.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
6cc7d9664c1a89c58549e57b5959bb38.exedescription pid process target process PID 1872 wrote to memory of 584 1872 6cc7d9664c1a89c58549e57b5959bb38.exe WerFault.exe PID 1872 wrote to memory of 584 1872 6cc7d9664c1a89c58549e57b5959bb38.exe WerFault.exe PID 1872 wrote to memory of 584 1872 6cc7d9664c1a89c58549e57b5959bb38.exe WerFault.exe PID 1872 wrote to memory of 584 1872 6cc7d9664c1a89c58549e57b5959bb38.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6cc7d9664c1a89c58549e57b5959bb38.exe"C:\Users\Admin\AppData\Local\Temp\6cc7d9664c1a89c58549e57b5959bb38.exe"1⤵
- Drops file in System32 directory
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 9922⤵
- Program crash