Analysis
-
max time kernel
26s -
max time network
29s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
22-02-2021 19:12
Static task
static1
Behavioral task
behavioral1
Sample
Invoice 6500TH21Y5674.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Invoice 6500TH21Y5674.exe
Resource
win10v20201028
General
-
Target
Invoice 6500TH21Y5674.exe
-
Size
209KB
-
MD5
dc22d7783144cfe4dcbb4734ed6a3656
-
SHA1
65d3e4f4df34bb25f7b621dd0457c641f98029cb
-
SHA256
c9fc9a54366452a99c7ed753c7f5055141bc579b1a2530f8db7d7a039db6225d
-
SHA512
908395a21d0a9411d8d2839b7c952f1cf50fd1998c5325457913cc27b581719d890919c196460ce5eb9fadba874b40043a537e8e40ff6aac75fd0dffcae7be4c
Malware Config
Signatures
-
Loads dropped DLL 3 IoCs
Processes:
Invoice 6500TH21Y5674.exeWerFault.exepid process 1100 Invoice 6500TH21Y5674.exe 1100 Invoice 6500TH21Y5674.exe 1488 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1488 1100 WerFault.exe Invoice 6500TH21Y5674.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 1488 WerFault.exe 1488 WerFault.exe 1488 WerFault.exe 1488 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1488 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
Invoice 6500TH21Y5674.exedescription pid process target process PID 1100 wrote to memory of 1488 1100 Invoice 6500TH21Y5674.exe WerFault.exe PID 1100 wrote to memory of 1488 1100 Invoice 6500TH21Y5674.exe WerFault.exe PID 1100 wrote to memory of 1488 1100 Invoice 6500TH21Y5674.exe WerFault.exe PID 1100 wrote to memory of 1488 1100 Invoice 6500TH21Y5674.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Invoice 6500TH21Y5674.exe"C:\Users\Admin\AppData\Local\Temp\Invoice 6500TH21Y5674.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 5002⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ir9ehshgyir.dllMD5
27352d6a2da80c7a04c0a589e7f025bd
SHA1500b490b02ee59deee00feb4c59a9f0308464e5c
SHA256427ab077a32d2844f5e82a1d0c52b9fa73bb58298dc70b3d3a55ba05552dd840
SHA5125afc122644ca2d1b2f9594adf653be281001c6c4e4d6d31b55950b83c64a1434b63054594b575510a9fa707d33e22624f01e92f5da2572712e364c7e1c21108b
-
\Users\Admin\AppData\Local\Temp\ir9ehshgyir.dllMD5
27352d6a2da80c7a04c0a589e7f025bd
SHA1500b490b02ee59deee00feb4c59a9f0308464e5c
SHA256427ab077a32d2844f5e82a1d0c52b9fa73bb58298dc70b3d3a55ba05552dd840
SHA5125afc122644ca2d1b2f9594adf653be281001c6c4e4d6d31b55950b83c64a1434b63054594b575510a9fa707d33e22624f01e92f5da2572712e364c7e1c21108b
-
\Users\Admin\AppData\Local\Temp\ir9ehshgyir.dllMD5
27352d6a2da80c7a04c0a589e7f025bd
SHA1500b490b02ee59deee00feb4c59a9f0308464e5c
SHA256427ab077a32d2844f5e82a1d0c52b9fa73bb58298dc70b3d3a55ba05552dd840
SHA5125afc122644ca2d1b2f9594adf653be281001c6c4e4d6d31b55950b83c64a1434b63054594b575510a9fa707d33e22624f01e92f5da2572712e364c7e1c21108b
-
\Users\Admin\AppData\Local\Temp\nsi733.tmp\System.dllMD5
fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
memory/1100-2-0x00000000760C1000-0x00000000760C3000-memory.dmpFilesize
8KB
-
memory/1488-5-0x0000000000000000-mapping.dmp
-
memory/1488-6-0x0000000000990000-0x00000000009A1000-memory.dmpFilesize
68KB
-
memory/1488-7-0x0000000000990000-0x00000000009A1000-memory.dmpFilesize
68KB
-
memory/1488-11-0x0000000000480000-0x0000000000481000-memory.dmpFilesize
4KB