Analysis
-
max time kernel
145s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30-10-2024 02:02
Behavioral task
behavioral1
Sample
b39fc50bee5a51c5a143e799c7676af63cb06ab92e07f9e90a37ac12fc534b3e.exe
Resource
win7-20241010-en
General
-
Target
b39fc50bee5a51c5a143e799c7676af63cb06ab92e07f9e90a37ac12fc534b3e.exe
-
Size
327KB
-
MD5
22d35cdedb4d4109510b9394610f5b2e
-
SHA1
5bc5e5856e4b2317966eff4dade064242db0948a
-
SHA256
b39fc50bee5a51c5a143e799c7676af63cb06ab92e07f9e90a37ac12fc534b3e
-
SHA512
9488d53bfb361cfbddb069ee59af2f14a3134a7cf585b318e2511df7eebaac8cd915a00b0457a9b16a96b4c289b41673bbfae87827749173b5e0bd359638ef2a
-
SSDEEP
6144:iJjREwLniAOzZx8pzwInnnpfnLItus2al85/Fj9QLMzhfOeQSK/04KSI:MmonhOzZx8pPnpTIKu0dj9yMzhfDdK8
Malware Config
Signatures
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Mimikatz family
-
mimikatz is an open source tool to dump credentials on Windows 1 IoCs
Processes:
resource yara_rule behavioral2/memory/872-33-0x00000210C0CA0000-0x00000210C0CED000-memory.dmp mimikatz -
Suspicious use of SetThreadContext 4 IoCs
Processes:
werfault.exedescription pid Process procid_target PID 1056 set thread context of 3820 1056 werfault.exe 107 PID 1056 set thread context of 2652 1056 werfault.exe 112 PID 1056 set thread context of 872 1056 werfault.exe 115 PID 1056 set thread context of 3184 1056 werfault.exe 116 -
Processes:
resource yara_rule behavioral2/memory/3260-0-0x00007FF6B4CB0000-0x00007FF6B4E50000-memory.dmp upx behavioral2/memory/3260-4-0x00007FF6B4CB0000-0x00007FF6B4E50000-memory.dmp upx -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid Process 2232 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
werfault.exerundll32.exerundll32.exepid Process 1056 werfault.exe 1056 werfault.exe 872 rundll32.exe 872 rundll32.exe 872 rundll32.exe 872 rundll32.exe 872 rundll32.exe 872 rundll32.exe 3184 rundll32.exe 3184 rundll32.exe 1056 werfault.exe 1056 werfault.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rundll32.exerundll32.exedescription pid Process Token: SeDebugPrivilege 872 rundll32.exe Token: SeDebugPrivilege 3184 rundll32.exe -
Suspicious use of WriteProcessMemory 53 IoCs
Processes:
werfault.exerundll32.exerundll32.exelsass.exedescription pid Process procid_target PID 1056 wrote to memory of 3820 1056 werfault.exe 107 PID 1056 wrote to memory of 3820 1056 werfault.exe 107 PID 1056 wrote to memory of 3820 1056 werfault.exe 107 PID 3820 wrote to memory of 2232 3820 rundll32.exe 109 PID 3820 wrote to memory of 2232 3820 rundll32.exe 109 PID 1056 wrote to memory of 2652 1056 werfault.exe 112 PID 1056 wrote to memory of 2652 1056 werfault.exe 112 PID 1056 wrote to memory of 2652 1056 werfault.exe 112 PID 1056 wrote to memory of 2128 1056 werfault.exe 113 PID 1056 wrote to memory of 2128 1056 werfault.exe 113 PID 1056 wrote to memory of 872 1056 werfault.exe 115 PID 1056 wrote to memory of 872 1056 werfault.exe 115 PID 1056 wrote to memory of 872 1056 werfault.exe 115 PID 1056 wrote to memory of 3184 1056 werfault.exe 116 PID 1056 wrote to memory of 3184 1056 werfault.exe 116 PID 1056 wrote to memory of 3184 1056 werfault.exe 116 PID 3184 wrote to memory of 676 3184 rundll32.exe 7 PID 3184 wrote to memory of 676 3184 rundll32.exe 7 PID 676 wrote to memory of 2716 676 lsass.exe 48 PID 676 wrote to memory of 2716 676 lsass.exe 48 PID 676 wrote to memory of 3212 676 lsass.exe 117 PID 676 wrote to memory of 3212 676 lsass.exe 117 PID 676 wrote to memory of 3212 676 lsass.exe 117 PID 676 wrote to memory of 3212 676 lsass.exe 117 PID 676 wrote to memory of 3212 676 lsass.exe 117 PID 676 wrote to memory of 3212 676 lsass.exe 117 PID 676 wrote to memory of 3212 676 lsass.exe 117 PID 676 wrote to memory of 3212 676 lsass.exe 117 PID 676 wrote to memory of 3212 676 lsass.exe 117 PID 676 wrote to memory of 3212 676 lsass.exe 117 PID 676 wrote to memory of 3212 676 lsass.exe 117 PID 676 wrote to memory of 2716 676 lsass.exe 48 PID 676 wrote to memory of 2716 676 lsass.exe 48 PID 676 wrote to memory of 2716 676 lsass.exe 48 PID 676 wrote to memory of 2992 676 lsass.exe 120 PID 676 wrote to memory of 2992 676 lsass.exe 120 PID 676 wrote to memory of 2992 676 lsass.exe 120 PID 676 wrote to memory of 2992 676 lsass.exe 120 PID 676 wrote to memory of 2992 676 lsass.exe 120 PID 676 wrote to memory of 2992 676 lsass.exe 120 PID 676 wrote to memory of 2992 676 lsass.exe 120 PID 676 wrote to memory of 2992 676 lsass.exe 120 PID 676 wrote to memory of 2992 676 lsass.exe 120 PID 676 wrote to memory of 2992 676 lsass.exe 120 PID 676 wrote to memory of 2992 676 lsass.exe 120 PID 676 wrote to memory of 2716 676 lsass.exe 48 PID 676 wrote to memory of 2716 676 lsass.exe 48 PID 676 wrote to memory of 2716 676 lsass.exe 48 PID 676 wrote to memory of 2716 676 lsass.exe 48 PID 1056 wrote to memory of 3540 1056 werfault.exe 56 PID 676 wrote to memory of 2716 676 lsass.exe 48 PID 676 wrote to memory of 2716 676 lsass.exe 48 PID 676 wrote to memory of 2716 676 lsass.exe 48
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
- Suspicious use of WriteProcessMemory
PID:676
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2716
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3540
-
C:\Users\Admin\AppData\Local\Temp\b39fc50bee5a51c5a143e799c7676af63cb06ab92e07f9e90a37ac12fc534b3e.exe"C:\Users\Admin\AppData\Local\Temp\b39fc50bee5a51c5a143e799c7676af63cb06ab92e07f9e90a37ac12fc534b3e.exe"2⤵PID:3260
-
C:\Windows\System32\werfault.exe\??\C:\Windows\System32\werfault.exe3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe4⤵
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Windows\system32\ipconfig.exe"C:\Windows\system32\ipconfig.exe" /all5⤵
- Gathers network information
PID:2232
-
-
-
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe4⤵PID:2652
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C set4⤵PID:2128
-
-
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:872
-
-
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3184
-
-
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3212
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵PID:2992