985aeb70b91dd14a84ba45d51a041a48db6a6af5b3f5bf668bd986f1a67ad07e

Analysis

max time kernel
143s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
14-09-2023 23:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

985aeb70b91dd14a84ba45d51a041a48db6a6af5b3f5bf668bd986f1a67ad07e.dll
Size

259KB
MD5

850b311135502749b800e16f90b1fb74
SHA1

6948966b683f6cc4a1d97c1c5a2c7143550705d1
SHA256

985aeb70b91dd14a84ba45d51a041a48db6a6af5b3f5bf668bd986f1a67ad07e
SHA512

82630e068fa31d363efdbe129cef894e25696a76634728c280720ce7603c65c21059387e29c5ff40904b4c01d0d1edfdf3417dbc06ef8910fea3bfa5f84234b2
SSDEEP

6144:fJqVG5d1IpMyibgkTZI6jHID90awrBXzH/:f3d6tevoxArBXD

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 1 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{04DE4B37-5102-40DD-9963-DEE670C2373D}.catalogItem	svchost.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4712 3032 WerFault.exe rundll32.exe

pid	pid_target	process	target process
4712	3032	WerFault.exe	rundll32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\985aeb70b91dd14a84ba45d51a041a48db6a6af5b3f5bf668bd986f1a67ad07e.dll,#1
1⤵
PID:3032

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3032 -s 328
2⤵
- Program crash
PID:4712

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:2616

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 3032 -ip 3032
1⤵
PID:3696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads