Analysis
-
max time kernel
142s -
max time network
123s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
16-04-2021 14:03
Static task
static1
Behavioral task
behavioral1
Sample
Urgent RFQ_AP65425652_032421,pdf.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Urgent RFQ_AP65425652_032421,pdf.exe
Resource
win10v20210410
General
-
Target
Urgent RFQ_AP65425652_032421,pdf.exe
-
Size
795KB
-
MD5
2c01f256b290b5366e18d6cf17ab20dd
-
SHA1
cd50c60b4f6a9fc43c6aa7d0b8c03cc1ff465046
-
SHA256
d171d6bfdf320dd4cb4f29596bdd63b41272d087b5e61edc8e0eb47c68fc5cad
-
SHA512
e905f448f1864a96ca86bec75bbade8443b5fae0efa6ea19614ce06f2879b27cb438d22b360d0e032f609d2efb1978d8f3cd4a9be16a952a0473be8f9e615d6e
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Netplwiz.exeNetplwiz.exepid process 1320 Netplwiz.exe 1344 Netplwiz.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Urgent RFQ_AP65425652_032421,pdf.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Vawrfz = "C:\\Users\\Public\\Libraries\\zfrwaV.url" Urgent RFQ_AP65425652_032421,pdf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1388 544 WerFault.exe dialer.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 1388 WerFault.exe 1388 WerFault.exe 1388 WerFault.exe 1388 WerFault.exe 1388 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
cmd.exeWerFault.exepid process 1648 cmd.exe 1388 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1388 WerFault.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
Urgent RFQ_AP65425652_032421,pdf.exedialer.execmd.exedescription pid process target process PID 1632 wrote to memory of 544 1632 Urgent RFQ_AP65425652_032421,pdf.exe dialer.exe PID 1632 wrote to memory of 544 1632 Urgent RFQ_AP65425652_032421,pdf.exe dialer.exe PID 1632 wrote to memory of 544 1632 Urgent RFQ_AP65425652_032421,pdf.exe dialer.exe PID 1632 wrote to memory of 544 1632 Urgent RFQ_AP65425652_032421,pdf.exe dialer.exe PID 1632 wrote to memory of 544 1632 Urgent RFQ_AP65425652_032421,pdf.exe dialer.exe PID 1632 wrote to memory of 544 1632 Urgent RFQ_AP65425652_032421,pdf.exe dialer.exe PID 1632 wrote to memory of 544 1632 Urgent RFQ_AP65425652_032421,pdf.exe dialer.exe PID 1632 wrote to memory of 544 1632 Urgent RFQ_AP65425652_032421,pdf.exe dialer.exe PID 1632 wrote to memory of 544 1632 Urgent RFQ_AP65425652_032421,pdf.exe dialer.exe PID 1632 wrote to memory of 544 1632 Urgent RFQ_AP65425652_032421,pdf.exe dialer.exe PID 1632 wrote to memory of 544 1632 Urgent RFQ_AP65425652_032421,pdf.exe dialer.exe PID 1632 wrote to memory of 544 1632 Urgent RFQ_AP65425652_032421,pdf.exe dialer.exe PID 1632 wrote to memory of 544 1632 Urgent RFQ_AP65425652_032421,pdf.exe dialer.exe PID 1632 wrote to memory of 544 1632 Urgent RFQ_AP65425652_032421,pdf.exe dialer.exe PID 1632 wrote to memory of 544 1632 Urgent RFQ_AP65425652_032421,pdf.exe dialer.exe PID 1632 wrote to memory of 544 1632 Urgent RFQ_AP65425652_032421,pdf.exe dialer.exe PID 1632 wrote to memory of 1804 1632 Urgent RFQ_AP65425652_032421,pdf.exe cmd.exe PID 1632 wrote to memory of 1804 1632 Urgent RFQ_AP65425652_032421,pdf.exe cmd.exe PID 1632 wrote to memory of 1804 1632 Urgent RFQ_AP65425652_032421,pdf.exe cmd.exe PID 1632 wrote to memory of 1804 1632 Urgent RFQ_AP65425652_032421,pdf.exe cmd.exe PID 544 wrote to memory of 1388 544 dialer.exe WerFault.exe PID 544 wrote to memory of 1388 544 dialer.exe WerFault.exe PID 544 wrote to memory of 1388 544 dialer.exe WerFault.exe PID 544 wrote to memory of 1388 544 dialer.exe WerFault.exe PID 1804 wrote to memory of 1648 1804 cmd.exe cmd.exe PID 1804 wrote to memory of 1648 1804 cmd.exe cmd.exe PID 1804 wrote to memory of 1648 1804 cmd.exe cmd.exe PID 1804 wrote to memory of 1648 1804 cmd.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Urgent RFQ_AP65425652_032421,pdf.exe"C:\Users\Admin\AppData\Local\Temp\Urgent RFQ_AP65425652_032421,pdf.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\dialer.exeC:\Windows\System32\dialer.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 1483⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Public\stt.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Public\PXOR.bat3⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows \System32\Netplwiz.exe"C:\Windows \System32\Netplwiz.exe"4⤵
- Executes dropped EXE
-
C:\Windows \System32\Netplwiz.exe"C:\Windows \System32\Netplwiz.exe"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\NETUTILS.dllMD5
39507d772c63ca496a25a14a8b5d14b2
SHA15b603f5c11eb9ab4313694315b4d4894ff4641d4
SHA25636d1fa474cd8271f9b74b9481025614b6ff309f767f69d9f1ff3960c7205ad12
SHA5120c740fd7b6d67d9938b0d8e1ea7d6c41910dd6d0b85b4ec8b6015ff8c0c73798dee01f01da0b5b0c07038663aca7945faca0e2b5afc1cb751aaba7567d332f5f
-
C:\Users\Public\Netplwiz.exeMD5
f94b7fb6dac49844d03c7087b2d8b472
SHA10e84139fced0ee8ef929d0bd5f01559a7dcf1db0
SHA25646e31f337ed0d9a6fe3f159abc91c9b9b6a6062982bbcd84a51784d7128e7ae4
SHA512d63878f94f7699e4cc63c2cd885c29455e0c423d32dba750e4fc3aa74dbaca80a1a4b176719213b9fc6584de6a40cddff7864c7fb4cfba13dfcb437a36e41b80
-
C:\Users\Public\PXOR.batMD5
0d8aef656413642f55e0902cc5df5e6f
SHA173ec56d08bd9b3c45d55c97bd1c1286b77c8ff49
SHA256670f94b92f45bc2f3f44a80c7f3021f874aa16fde38ed7d7f3ebed13ae09fa11
SHA512efe690b1bcf06e16be469622b45c98b5dc1f1e06410cbf7e7dccb2975524c4d6bc7e23de9a129d50d73cd924f02e23f925555894f2c7da1064dcc57151f50876
-
C:\Users\Public\stt.batMD5
8a850253c31df9a7e1c00c80df2630d5
SHA1e3da74081b027a3b591488b28da22742bcfe8495
SHA2568fdeba3ec903bde700342083d16f72452366aa0b1b30d0e58dee0af74cebfa35
SHA51230510bdc34680a0865a0811d9be29dec91c74717feccd58c9b4d88e77be9e5d13a539806a1b2901aff595b2fe2cc45926b69ed42e899d2dd2913c78a732e84d1
-
C:\Windows \System32\Netplwiz.exeMD5
f94b7fb6dac49844d03c7087b2d8b472
SHA10e84139fced0ee8ef929d0bd5f01559a7dcf1db0
SHA25646e31f337ed0d9a6fe3f159abc91c9b9b6a6062982bbcd84a51784d7128e7ae4
SHA512d63878f94f7699e4cc63c2cd885c29455e0c423d32dba750e4fc3aa74dbaca80a1a4b176719213b9fc6584de6a40cddff7864c7fb4cfba13dfcb437a36e41b80
-
C:\Windows \System32\Netplwiz.exeMD5
f94b7fb6dac49844d03c7087b2d8b472
SHA10e84139fced0ee8ef929d0bd5f01559a7dcf1db0
SHA25646e31f337ed0d9a6fe3f159abc91c9b9b6a6062982bbcd84a51784d7128e7ae4
SHA512d63878f94f7699e4cc63c2cd885c29455e0c423d32dba750e4fc3aa74dbaca80a1a4b176719213b9fc6584de6a40cddff7864c7fb4cfba13dfcb437a36e41b80
-
memory/544-82-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/544-81-0x0000000010540000-0x0000000010564000-memory.dmpFilesize
144KB
-
memory/544-78-0x00000000000C0000-0x00000000000C1000-memory.dmpFilesize
4KB
-
memory/544-80-0x00000000002C0000-0x00000000002C1000-memory.dmpFilesize
4KB
-
memory/544-66-0x0000000000000000-mapping.dmp
-
memory/1388-69-0x0000000000000000-mapping.dmp
-
memory/1388-84-0x0000000000320000-0x0000000000321000-memory.dmpFilesize
4KB
-
memory/1632-63-0x00000000004D0000-0x00000000004EA000-memory.dmpFilesize
104KB
-
memory/1632-62-0x00000000004D0000-0x00000000004D1000-memory.dmpFilesize
4KB
-
memory/1632-61-0x00000000003B0000-0x00000000003B1000-memory.dmpFilesize
4KB
-
memory/1632-60-0x0000000075551000-0x0000000075553000-memory.dmpFilesize
8KB
-
memory/1648-83-0x00000000007C0000-0x00000000008B5000-memory.dmpFilesize
980KB
-
memory/1648-71-0x0000000000000000-mapping.dmp
-
memory/1804-68-0x0000000000000000-mapping.dmp