5173c1c4ab3f43f4c015064f596bb9c97ec540f71c77e5e67e2cebdddaf4b079

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28/06/2024, 20:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5173c1c4ab3f43f4c015064f596bb9c97ec540f71c77e5e67e2cebdddaf4b079.exe
Size

1.3MB
MD5

afb6010f45d63a69417f756fc70c7d13
SHA1

22718182b83293f84ab3cb894d568ca137e6e79f
SHA256

5173c1c4ab3f43f4c015064f596bb9c97ec540f71c77e5e67e2cebdddaf4b079
SHA512

720356d329a82bc5c837911c12d158c20fb168f62f2b2c5a614a941187bab78bec5e833f6d0a7a9d04cb089dc041abf53c543e167d093347c0a78154fb860b66
SSDEEP

24576:X0hzpOR8uLEaZylSfnjEoGV4OiV+5vox8z/rhPV5VG7:Xgo2iV8QWz/VPVq

Score

3^/10

Malware Config

Signatures

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2300	3988	WerFault.exe	80
2748	3988	WerFault.exe	80

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	5173c1c4ab3f43f4c015064f596bb9c97ec540f71c77e5e67e2cebdddaf4b079.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	5173c1c4ab3f43f4c015064f596bb9c97ec540f71c77e5e67e2cebdddaf4b079.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	5173c1c4ab3f43f4c015064f596bb9c97ec540f71c77e5e67e2cebdddaf4b079.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	5173c1c4ab3f43f4c015064f596bb9c97ec540f71c77e5e67e2cebdddaf4b079.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	5173c1c4ab3f43f4c015064f596bb9c97ec540f71c77e5e67e2cebdddaf4b079.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3988	5173c1c4ab3f43f4c015064f596bb9c97ec540f71c77e5e67e2cebdddaf4b079.exe
Token: SeIncBasePriorityPrivilege	3988	5173c1c4ab3f43f4c015064f596bb9c97ec540f71c77e5e67e2cebdddaf4b079.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3988	5173c1c4ab3f43f4c015064f596bb9c97ec540f71c77e5e67e2cebdddaf4b079.exe
3988	5173c1c4ab3f43f4c015064f596bb9c97ec540f71c77e5e67e2cebdddaf4b079.exe
3988	5173c1c4ab3f43f4c015064f596bb9c97ec540f71c77e5e67e2cebdddaf4b079.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3988	5173c1c4ab3f43f4c015064f596bb9c97ec540f71c77e5e67e2cebdddaf4b079.exe
3988	5173c1c4ab3f43f4c015064f596bb9c97ec540f71c77e5e67e2cebdddaf4b079.exe
3988	5173c1c4ab3f43f4c015064f596bb9c97ec540f71c77e5e67e2cebdddaf4b079.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3988	5173c1c4ab3f43f4c015064f596bb9c97ec540f71c77e5e67e2cebdddaf4b079.exe
3988	5173c1c4ab3f43f4c015064f596bb9c97ec540f71c77e5e67e2cebdddaf4b079.exe
3988	5173c1c4ab3f43f4c015064f596bb9c97ec540f71c77e5e67e2cebdddaf4b079.exe
3988	5173c1c4ab3f43f4c015064f596bb9c97ec540f71c77e5e67e2cebdddaf4b079.exe

C:\Users\Admin\AppData\Local\Temp\5173c1c4ab3f43f4c015064f596bb9c97ec540f71c77e5e67e2cebdddaf4b079.exe
"C:\Users\Admin\AppData\Local\Temp\5173c1c4ab3f43f4c015064f596bb9c97ec540f71c77e5e67e2cebdddaf4b079.exe"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3988
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 2012
  2⤵
  - Program crash
  PID:2300
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 744
  2⤵
  - Program crash
  PID:2748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3988 -ip 3988
1⤵
PID:3968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3988 -ip 3988
1⤵
PID:4804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Jnns.Config

Filesize
1KB

MD5
3c3ff13d9b89b00ac73bc76bccd39e9a

SHA1
62a52b99813ed9365261030abaffad7500df80f9

SHA256
2cba444138b69292a1c2fb87c2e11fcdb5364c1ba13afa031f879bd58bbff26b

SHA512
7351c1ff651390e4bce49c10c91acc20996b43d0d3f6ebfad358381095a211c139c04a708a7f573d1681d10806cb794b4a5e21013c173b1aec0ce3cd2f408f4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jnns.Config

Filesize
2KB

MD5
9c4739b921376e7f9501c024b667b922

SHA1
addddedd62ec146e9e3d1db694c043bce88b7a2f

SHA256
bbee5b4e537b9e547d2086f18d3028f206ad168d51abe9e826cf043ce84d2a9e

SHA512
01082f5e82380ef6d433024c95a0936a5edad278926aa258ab66f6f8aa5fcbbf8275b8197836cd8b1bbacacbdd02afe658d40d567278d36bc58559ff4df337f5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads