Analysis
-
max time kernel
36s -
max time network
124s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
23-05-2021 17:01
Static task
static1
Behavioral task
behavioral1
Sample
1CEB51CFD72F59D9035AB2A78627D4F5.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
1CEB51CFD72F59D9035AB2A78627D4F5.exe
Resource
win10v20210408
General
-
Target
1CEB51CFD72F59D9035AB2A78627D4F5.exe
-
Size
3.2MB
-
MD5
1ceb51cfd72f59d9035ab2a78627d4f5
-
SHA1
812808c718c8aa14775893ac9571e0f0dba04e66
-
SHA256
7a63dfdb3c679b747aadbd3855f97e9fb00a7cffdca72a937f63bb167dd52f20
-
SHA512
a73df1484194611425f387f8b73a2d81a2f7f9b7e04f8a9c00095e48fc652287258a21e534beb0cbe6129d697283a20c3b6ed10a4f30c91ebffb1f6be18437cd
Malware Config
Signatures
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zS0E2419A4\setup_install.exe aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS0E2419A4\setup_install.exe aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS0E2419A4\libcurlpp.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS0E2419A4\libcurl.dll aspack_v212_v242 \Users\Admin\AppData\Local\Temp\7zS0E2419A4\libcurl.dll aspack_v212_v242 \Users\Admin\AppData\Local\Temp\7zS0E2419A4\libcurl.dll aspack_v212_v242 \Users\Admin\AppData\Local\Temp\7zS0E2419A4\libcurlpp.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS0E2419A4\libstdc++-6.dll aspack_v212_v242 \Users\Admin\AppData\Local\Temp\7zS0E2419A4\libstdc++-6.dll aspack_v212_v242 -
Executes dropped EXE 1 IoCs
Processes:
setup_install.exepid process 4064 setup_install.exe -
Loads dropped DLL 6 IoCs
Processes:
setup_install.exepid process 4064 setup_install.exe 4064 setup_install.exe 4064 setup_install.exe 4064 setup_install.exe 4064 setup_install.exe 4064 setup_install.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3696 4064 WerFault.exe setup_install.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
WerFault.exepid process 3696 WerFault.exe 3696 WerFault.exe 3696 WerFault.exe 3696 WerFault.exe 3696 WerFault.exe 3696 WerFault.exe 3696 WerFault.exe 3696 WerFault.exe 3696 WerFault.exe 3696 WerFault.exe 3696 WerFault.exe 3696 WerFault.exe 3696 WerFault.exe 3696 WerFault.exe 3696 WerFault.exe 3696 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3696 WerFault.exe Token: SeBackupPrivilege 3696 WerFault.exe Token: SeDebugPrivilege 3696 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
1CEB51CFD72F59D9035AB2A78627D4F5.exedescription pid process target process PID 736 wrote to memory of 4064 736 1CEB51CFD72F59D9035AB2A78627D4F5.exe setup_install.exe PID 736 wrote to memory of 4064 736 1CEB51CFD72F59D9035AB2A78627D4F5.exe setup_install.exe PID 736 wrote to memory of 4064 736 1CEB51CFD72F59D9035AB2A78627D4F5.exe setup_install.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1CEB51CFD72F59D9035AB2A78627D4F5.exe"C:\Users\Admin\AppData\Local\Temp\1CEB51CFD72F59D9035AB2A78627D4F5.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Users\Admin\AppData\Local\Temp\7zS0E2419A4\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS0E2419A4\setup_install.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4064 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 4603⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3696
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
MD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
MD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
MD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
MD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
MD5
dbec1cd321303d6234db025f762c6c8c
SHA1a2a4bfe51e801dce86d1ea80ff1d9f29384b1b97
SHA2565046641b418e1947f1fb2c16cd65db3a9e7be5073302210057937bfc3d54cc96
SHA5123705e754c9b0293dbd5b7835bb5163d0822d7b648e3a4236eab78cadd406aa3b4246d42f3b43801b3c01c3b3074f8bc6b3da9e3190207b184a6a8d6c8e5f7dfa
-
MD5
dbec1cd321303d6234db025f762c6c8c
SHA1a2a4bfe51e801dce86d1ea80ff1d9f29384b1b97
SHA2565046641b418e1947f1fb2c16cd65db3a9e7be5073302210057937bfc3d54cc96
SHA5123705e754c9b0293dbd5b7835bb5163d0822d7b648e3a4236eab78cadd406aa3b4246d42f3b43801b3c01c3b3074f8bc6b3da9e3190207b184a6a8d6c8e5f7dfa
-
MD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
MD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
MD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
MD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
MD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
MD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61