Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
19-08-2023 19:46
Static task
static1
Behavioral task
behavioral1
Sample
a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe
Resource
win10v2004-20230703-en
General
-
Target
a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe
-
Size
4.3MB
-
MD5
6b1b32bf21fa1e9b0a15fef7ad859077
-
SHA1
6052a49a4e30aa9c1fd771692d22e010c751caa7
-
SHA256
a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa
-
SHA512
25e59b1f3d8a99631798af600c8c738dfe4900e72b28e80f7407cf511214f9fa3e7bcfc07e8c7753973bf5486cd1f0afb2d86c21da153c7fa5c4d14c5c528ac3
-
SSDEEP
98304:Y7Qfh+m6IhvfUk+S1Y4mx/VZSaFYjpofE6g:Y7Qfh+m66fUk+S1Y3Epos6g
Malware Config
Signatures
-
Loads dropped DLL 7 IoCs
pid Process 2876 WerFault.exe 2876 WerFault.exe 2876 WerFault.exe 2876 WerFault.exe 2876 WerFault.exe 2876 WerFault.exe 2876 WerFault.exe -
resource yara_rule behavioral1/memory/1712-63-0x0000000002E40000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/1712-65-0x0000000002E40000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/1712-67-0x0000000002E40000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/1712-71-0x0000000002E40000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/1712-75-0x0000000002E40000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/1712-77-0x0000000002E40000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/1712-81-0x0000000002E40000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/1712-84-0x0000000002E40000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/1712-87-0x0000000002E40000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/1712-89-0x0000000002E40000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/1712-91-0x0000000002E40000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/1712-79-0x0000000002E40000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/1712-96-0x0000000002E40000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/1712-98-0x0000000002E40000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/1712-94-0x0000000002E40000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/1712-73-0x0000000002E40000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/1712-101-0x0000000002E40000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/1712-69-0x0000000002E40000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/1712-64-0x0000000002E40000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/1712-103-0x0000000002E40000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/1712-105-0x0000000002E40000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/1712-107-0x0000000002E40000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/1712-109-0x0000000002E40000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/1712-115-0x0000000002E40000-0x0000000002E7E000-memory.dmp upx -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2876 1712 WerFault.exe 27 -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1712 a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe 1712 a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe 1712 a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1712 a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeDebugPrivilege 1712 a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe Token: 1 1712 a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe Token: SeCreateTokenPrivilege 1712 a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe Token: SeAssignPrimaryTokenPrivilege 1712 a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe Token: SeLockMemoryPrivilege 1712 a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe Token: SeIncreaseQuotaPrivilege 1712 a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe Token: SeMachineAccountPrivilege 1712 a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe Token: SeTcbPrivilege 1712 a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe Token: SeSecurityPrivilege 1712 a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe Token: SeTakeOwnershipPrivilege 1712 a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe Token: SeLoadDriverPrivilege 1712 a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe Token: SeSystemProfilePrivilege 1712 a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe Token: SeSystemtimePrivilege 1712 a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe Token: SeProfSingleProcessPrivilege 1712 a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe Token: SeIncBasePriorityPrivilege 1712 a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe Token: SeCreatePagefilePrivilege 1712 a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe Token: SeCreatePermanentPrivilege 1712 a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe Token: SeBackupPrivilege 1712 a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe Token: SeRestorePrivilege 1712 a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe Token: SeShutdownPrivilege 1712 a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe Token: SeDebugPrivilege 1712 a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe Token: SeAuditPrivilege 1712 a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe Token: SeSystemEnvironmentPrivilege 1712 a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe Token: SeChangeNotifyPrivilege 1712 a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe Token: SeRemoteShutdownPrivilege 1712 a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe Token: SeUndockPrivilege 1712 a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe Token: SeSyncAgentPrivilege 1712 a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe Token: SeEnableDelegationPrivilege 1712 a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe Token: SeManageVolumePrivilege 1712 a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe Token: SeImpersonatePrivilege 1712 a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe Token: SeCreateGlobalPrivilege 1712 a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe Token: 31 1712 a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe Token: 32 1712 a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe Token: 33 1712 a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe Token: 34 1712 a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe Token: 35 1712 a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe Token: 36 1712 a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe Token: 37 1712 a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe Token: 38 1712 a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe Token: 39 1712 a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe Token: 40 1712 a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe Token: 41 1712 a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe Token: 42 1712 a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe Token: 43 1712 a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe Token: 44 1712 a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe Token: 45 1712 a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe Token: 46 1712 a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe Token: 47 1712 a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe Token: 48 1712 a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe Token: SeDebugPrivilege 1712 a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1712 a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe 1712 a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe 1712 a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1712 wrote to memory of 2876 1712 a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe 28 PID 1712 wrote to memory of 2876 1712 a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe 28 PID 1712 wrote to memory of 2876 1712 a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe 28 PID 1712 wrote to memory of 2876 1712 a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe"C:\Users\Admin\AppData\Local\Temp\a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe"1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 4522⤵
- Loads dropped DLL
- Program crash
PID:2876
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe
Filesize4.3MB
MD579f2d0a40916811e28d411d16e5232f2
SHA1a914f64e40fac0a17e2b39551523931f084ef8fc
SHA256f554697cc4d511297ccebb0e1da5745a5d80ede11bb71f27e5a160023545d7cb
SHA512ad5c2d8a20f20ec1079dc56681d22549c2c807066b67bd65d15c332a7f1509edbe8be0eedf41585a0deaa51fe1cba9d7c7428f091cc4dcffba66991e7057e8e5
-
\Users\Admin\AppData\Local\Temp\a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe
Filesize4.3MB
MD579f2d0a40916811e28d411d16e5232f2
SHA1a914f64e40fac0a17e2b39551523931f084ef8fc
SHA256f554697cc4d511297ccebb0e1da5745a5d80ede11bb71f27e5a160023545d7cb
SHA512ad5c2d8a20f20ec1079dc56681d22549c2c807066b67bd65d15c332a7f1509edbe8be0eedf41585a0deaa51fe1cba9d7c7428f091cc4dcffba66991e7057e8e5
-
\Users\Admin\AppData\Local\Temp\a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe
Filesize4.3MB
MD579f2d0a40916811e28d411d16e5232f2
SHA1a914f64e40fac0a17e2b39551523931f084ef8fc
SHA256f554697cc4d511297ccebb0e1da5745a5d80ede11bb71f27e5a160023545d7cb
SHA512ad5c2d8a20f20ec1079dc56681d22549c2c807066b67bd65d15c332a7f1509edbe8be0eedf41585a0deaa51fe1cba9d7c7428f091cc4dcffba66991e7057e8e5
-
\Users\Admin\AppData\Local\Temp\a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe
Filesize4.3MB
MD579f2d0a40916811e28d411d16e5232f2
SHA1a914f64e40fac0a17e2b39551523931f084ef8fc
SHA256f554697cc4d511297ccebb0e1da5745a5d80ede11bb71f27e5a160023545d7cb
SHA512ad5c2d8a20f20ec1079dc56681d22549c2c807066b67bd65d15c332a7f1509edbe8be0eedf41585a0deaa51fe1cba9d7c7428f091cc4dcffba66991e7057e8e5
-
\Users\Admin\AppData\Local\Temp\a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe
Filesize4.3MB
MD579f2d0a40916811e28d411d16e5232f2
SHA1a914f64e40fac0a17e2b39551523931f084ef8fc
SHA256f554697cc4d511297ccebb0e1da5745a5d80ede11bb71f27e5a160023545d7cb
SHA512ad5c2d8a20f20ec1079dc56681d22549c2c807066b67bd65d15c332a7f1509edbe8be0eedf41585a0deaa51fe1cba9d7c7428f091cc4dcffba66991e7057e8e5
-
\Users\Admin\AppData\Local\Temp\a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe
Filesize4.3MB
MD579f2d0a40916811e28d411d16e5232f2
SHA1a914f64e40fac0a17e2b39551523931f084ef8fc
SHA256f554697cc4d511297ccebb0e1da5745a5d80ede11bb71f27e5a160023545d7cb
SHA512ad5c2d8a20f20ec1079dc56681d22549c2c807066b67bd65d15c332a7f1509edbe8be0eedf41585a0deaa51fe1cba9d7c7428f091cc4dcffba66991e7057e8e5
-
\Users\Admin\AppData\Local\Temp\a2bf4779985b45fa712741c2e11633bb889b74a229731f73fd373bb507bd9aaa.exe
Filesize4.3MB
MD579f2d0a40916811e28d411d16e5232f2
SHA1a914f64e40fac0a17e2b39551523931f084ef8fc
SHA256f554697cc4d511297ccebb0e1da5745a5d80ede11bb71f27e5a160023545d7cb
SHA512ad5c2d8a20f20ec1079dc56681d22549c2c807066b67bd65d15c332a7f1509edbe8be0eedf41585a0deaa51fe1cba9d7c7428f091cc4dcffba66991e7057e8e5