Resubmissions
24-09-2022 21:20
220924-z6qdtaddbl 10Analysis
-
max time kernel
393s -
max time network
1593s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
14-04-2024 12:44
Static task
static1
Behavioral task
behavioral1
Sample
5e6764534b3a1e4d3abacc4810b6985d.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5e6764534b3a1e4d3abacc4810b6985d.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
5e6764534b3a1e4d3abacc4810b6985d.exe
Resource
win10v2004-20240412-en
General
-
Target
5e6764534b3a1e4d3abacc4810b6985d.exe
-
Size
740KB
-
MD5
5e6764534b3a1e4d3abacc4810b6985d
-
SHA1
f10ad287f126f577f197070453812a7e88c2cc52
-
SHA256
e7d3181ef643d77bb33fe328d1ea58f512b4f27c8e6ed71935a2e7548f2facc0
-
SHA512
532d2855e1b21433dbcc9c803f0538d99f6c3bddf0dd8321f552c7d16914dce4c2d2d3abd8028f45a4cf18109d430251d8fe8c63d30627e6fcc27d54cb42a188
-
SSDEEP
12288:az1bWgRkItsxHeYfpGcix2wytmyKsqVwoiFNoQEN5:+RkItsl7fofyKsqVwoiFNoQE3
Malware Config
Signatures
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 api.ipify.org 4 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4528 2064 WerFault.exe wermgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
wermgr.exepid process 2064 wermgr.exe 2064 wermgr.exe 2064 wermgr.exe 2064 wermgr.exe 2064 wermgr.exe 2064 wermgr.exe 2064 wermgr.exe 2064 wermgr.exe 2064 wermgr.exe 2064 wermgr.exe 2064 wermgr.exe 2064 wermgr.exe 2064 wermgr.exe 2064 wermgr.exe 2064 wermgr.exe 2064 wermgr.exe 2064 wermgr.exe 2064 wermgr.exe 2064 wermgr.exe 2064 wermgr.exe 2064 wermgr.exe 2064 wermgr.exe 2064 wermgr.exe 2064 wermgr.exe 2064 wermgr.exe 2064 wermgr.exe 2064 wermgr.exe 2064 wermgr.exe 2064 wermgr.exe 2064 wermgr.exe 2064 wermgr.exe 2064 wermgr.exe 2064 wermgr.exe 2064 wermgr.exe 2064 wermgr.exe 2064 wermgr.exe 2064 wermgr.exe 2064 wermgr.exe 2064 wermgr.exe 2064 wermgr.exe 2064 wermgr.exe 2064 wermgr.exe 2064 wermgr.exe 2064 wermgr.exe 2064 wermgr.exe 2064 wermgr.exe 2064 wermgr.exe 2064 wermgr.exe 2064 wermgr.exe 2064 wermgr.exe 2064 wermgr.exe 2064 wermgr.exe 2064 wermgr.exe 2064 wermgr.exe 2064 wermgr.exe 2064 wermgr.exe 2064 wermgr.exe 2064 wermgr.exe 2064 wermgr.exe 2064 wermgr.exe 2064 wermgr.exe 2064 wermgr.exe 2064 wermgr.exe 2064 wermgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
5e6764534b3a1e4d3abacc4810b6985d.exewermgr.exepid process 2736 5e6764534b3a1e4d3abacc4810b6985d.exe 2064 wermgr.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
5e6764534b3a1e4d3abacc4810b6985d.exedescription pid process target process PID 2736 wrote to memory of 2064 2736 5e6764534b3a1e4d3abacc4810b6985d.exe wermgr.exe PID 2736 wrote to memory of 2064 2736 5e6764534b3a1e4d3abacc4810b6985d.exe wermgr.exe PID 2736 wrote to memory of 2064 2736 5e6764534b3a1e4d3abacc4810b6985d.exe wermgr.exe PID 2736 wrote to memory of 2064 2736 5e6764534b3a1e4d3abacc4810b6985d.exe wermgr.exe PID 2736 wrote to memory of 2064 2736 5e6764534b3a1e4d3abacc4810b6985d.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e6764534b3a1e4d3abacc4810b6985d.exe"C:\Users\Admin\AppData\Local\Temp\5e6764534b3a1e4d3abacc4810b6985d.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\wermgr.exe"C:\Windows\System32\wermgr.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2064 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 8003⤵
- Program crash
PID:4528
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2064-10-0x0000000002310000-0x00000000023AA000-memory.dmpFilesize
616KB
-
memory/2064-2-0x0000000002310000-0x00000000023AA000-memory.dmpFilesize
616KB
-
memory/2064-11-0x00000000001C0000-0x0000000000210000-memory.dmpFilesize
320KB
-
memory/2064-3-0x0000000002310000-0x00000000023AA000-memory.dmpFilesize
616KB
-
memory/2064-4-0x0000000002310000-0x00000000023AA000-memory.dmpFilesize
616KB
-
memory/2064-7-0x0000000002760000-0x0000000002765000-memory.dmpFilesize
20KB
-
memory/2064-6-0x0000000002310000-0x00000000023AA000-memory.dmpFilesize
616KB
-
memory/2064-8-0x0000000002310000-0x00000000023AA000-memory.dmpFilesize
616KB
-
memory/2064-13-0x0000000002310000-0x00000000023AA000-memory.dmpFilesize
616KB
-
memory/2064-5-0x0000000002310000-0x00000000023AA000-memory.dmpFilesize
616KB
-
memory/2064-43-0x0000000002310000-0x00000000023AA000-memory.dmpFilesize
616KB
-
memory/2064-1-0x0000000002310000-0x00000000023AA000-memory.dmpFilesize
616KB
-
memory/2064-9-0x0000000002310000-0x00000000023AA000-memory.dmpFilesize
616KB
-
memory/2064-14-0x0000000002310000-0x00000000023AA000-memory.dmpFilesize
616KB
-
memory/2064-18-0x0000000002310000-0x00000000023AA000-memory.dmpFilesize
616KB
-
memory/2064-20-0x0000000002310000-0x00000000023AA000-memory.dmpFilesize
616KB
-
memory/2064-23-0x0000000002310000-0x00000000023AA000-memory.dmpFilesize
616KB
-
memory/2064-28-0x0000000002310000-0x00000000023AA000-memory.dmpFilesize
616KB
-
memory/2064-32-0x0000000002310000-0x00000000023AA000-memory.dmpFilesize
616KB
-
memory/2064-34-0x0000000002310000-0x00000000023AA000-memory.dmpFilesize
616KB
-
memory/2064-40-0x0000000002310000-0x00000000023AA000-memory.dmpFilesize
616KB
-
memory/2736-0-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB