Analysis
-
max time kernel
107s -
max time network
58s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
11-06-2021 03:02
Static task
static1
Behavioral task
behavioral1
Sample
발주분(신규)_101115_[새너]_210611.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
발주분(신규)_101115_[새너]_210611.exe
Resource
win10v20210408
General
-
Target
발주분(신규)_101115_[새너]_210611.exe
-
Size
866KB
-
MD5
3a99e7eef8446fa24717026efa1ef161
-
SHA1
a09abbcb98ec6a85ce39e4cb8124cfbbe51b1810
-
SHA256
f97691877cb494702c1876a40dbcc840b6ab6df9bd062eb1cafa8d23fd674d08
-
SHA512
a6cf3ecd316b150361f788bc00a9a0096fdcfecddf3043a1d22389ead7b7736ea3448503f33411e674b6634505f6c4438c1c899c66819f4b021511b8519a6230
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1392 1728 WerFault.exe 발주분(신규)_101115_[새너]_210611.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
발주분(신규)_101115_[새너]_210611.exeWerFault.exepid process 1728 발주분(신규)_101115_[새너]_210611.exe 1392 WerFault.exe 1392 WerFault.exe 1392 WerFault.exe 1392 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
발주분(신규)_101115_[새너]_210611.exeWerFault.exedescription pid process Token: SeDebugPrivilege 1728 발주분(신규)_101115_[새너]_210611.exe Token: SeDebugPrivilege 1392 WerFault.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
발주분(신규)_101115_[새너]_210611.exedescription pid process target process PID 1728 wrote to memory of 740 1728 발주분(신규)_101115_[새너]_210611.exe schtasks.exe PID 1728 wrote to memory of 740 1728 발주분(신규)_101115_[새너]_210611.exe schtasks.exe PID 1728 wrote to memory of 740 1728 발주분(신규)_101115_[새너]_210611.exe schtasks.exe PID 1728 wrote to memory of 740 1728 발주분(신규)_101115_[새너]_210611.exe schtasks.exe PID 1728 wrote to memory of 1392 1728 발주분(신규)_101115_[새너]_210611.exe WerFault.exe PID 1728 wrote to memory of 1392 1728 발주분(신규)_101115_[새너]_210611.exe WerFault.exe PID 1728 wrote to memory of 1392 1728 발주분(신규)_101115_[새너]_210611.exe WerFault.exe PID 1728 wrote to memory of 1392 1728 발주분(신규)_101115_[새너]_210611.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\발주분(신규)_101115_[새너]_210611.exe"C:\Users\Admin\AppData\Local\Temp\발주분(신규)_101115_[새너]_210611.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xApAzcFTr" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6068.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1728 -s 10202⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp6068.tmpMD5
8d27119dfce1550869343f9876c74d09
SHA1c0d9f6a1fe0f81d6565a9019c8e0a21a2ef04e19
SHA2565d671ab954e74efa6a994809abb37a762b685559db9c89564330df8520c411c5
SHA512fbf4cdffc8d060924cee4175859a368bf788ef9e42185e28f36040020d4b5dae9643479eb953cab90cfe235cb07683eac2ca2e38a6f1e3c7193ab56406c6f2a7
-
memory/740-65-0x0000000000000000-mapping.dmp
-
memory/1392-67-0x0000000000000000-mapping.dmp
-
memory/1392-68-0x00000000003F0000-0x00000000003F1000-memory.dmpFilesize
4KB
-
memory/1728-59-0x0000000000DC0000-0x0000000000DC1000-memory.dmpFilesize
4KB
-
memory/1728-61-0x00000000003A0000-0x00000000003BE000-memory.dmpFilesize
120KB
-
memory/1728-62-0x0000000004FC0000-0x0000000004FC1000-memory.dmpFilesize
4KB
-
memory/1728-63-0x0000000005100000-0x000000000517A000-memory.dmpFilesize
488KB
-
memory/1728-64-0x0000000000B70000-0x0000000000BA6000-memory.dmpFilesize
216KB