Analysis
-
max time kernel
110s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
11-06-2021 03:02
Static task
static1
Behavioral task
behavioral1
Sample
발주분(신규)_101115_[새너]_210611.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
발주분(신규)_101115_[새너]_210611.exe
Resource
win10v20210408
General
-
Target
발주분(신규)_101115_[새너]_210611.exe
-
Size
866KB
-
MD5
3a99e7eef8446fa24717026efa1ef161
-
SHA1
a09abbcb98ec6a85ce39e4cb8124cfbbe51b1810
-
SHA256
f97691877cb494702c1876a40dbcc840b6ab6df9bd062eb1cafa8d23fd674d08
-
SHA512
a6cf3ecd316b150361f788bc00a9a0096fdcfecddf3043a1d22389ead7b7736ea3448503f33411e674b6634505f6c4438c1c899c66819f4b021511b8519a6230
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3164 660 WerFault.exe 발주분(신규)_101115_[새너]_210611.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
발주분(신규)_101115_[새너]_210611.exeWerFault.exepid process 660 발주분(신규)_101115_[새너]_210611.exe 660 발주분(신규)_101115_[새너]_210611.exe 3164 WerFault.exe 3164 WerFault.exe 3164 WerFault.exe 3164 WerFault.exe 3164 WerFault.exe 3164 WerFault.exe 3164 WerFault.exe 3164 WerFault.exe 3164 WerFault.exe 3164 WerFault.exe 3164 WerFault.exe 3164 WerFault.exe 3164 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
발주분(신규)_101115_[새너]_210611.exeWerFault.exedescription pid process Token: SeDebugPrivilege 660 발주분(신규)_101115_[새너]_210611.exe Token: SeRestorePrivilege 3164 WerFault.exe Token: SeBackupPrivilege 3164 WerFault.exe Token: SeDebugPrivilege 3164 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
발주분(신규)_101115_[새너]_210611.exedescription pid process target process PID 660 wrote to memory of 3688 660 발주분(신규)_101115_[새너]_210611.exe schtasks.exe PID 660 wrote to memory of 3688 660 발주분(신규)_101115_[새너]_210611.exe schtasks.exe PID 660 wrote to memory of 3688 660 발주분(신규)_101115_[새너]_210611.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\발주분(신규)_101115_[새너]_210611.exe"C:\Users\Admin\AppData\Local\Temp\발주분(신규)_101115_[새너]_210611.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xApAzcFTr" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD6E8.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 660 -s 16482⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpD6E8.tmpMD5
d790275ab4a308ae609b2b8db11b89d7
SHA1f225bfefddc699ed39014f2321ef5244949db837
SHA256af38abb2e86d38538fa6720efb3198968d8b980959f7a54d0ca2ae1003cf8616
SHA512e047d1800004efae91b9a85f8af031d704967cbd2c77603a5fc4876a825220a7a9b704f098c0796cc7a2060b03a023e757134b4e163ec5aad5109c913c728cf3
-
memory/660-114-0x0000000000A50000-0x0000000000A51000-memory.dmpFilesize
4KB
-
memory/660-116-0x0000000005350000-0x0000000005351000-memory.dmpFilesize
4KB
-
memory/660-117-0x00000000058F0000-0x00000000058F1000-memory.dmpFilesize
4KB
-
memory/660-118-0x0000000005490000-0x0000000005491000-memory.dmpFilesize
4KB
-
memory/660-119-0x00000000053F0000-0x00000000053F1000-memory.dmpFilesize
4KB
-
memory/660-120-0x0000000005620000-0x0000000005621000-memory.dmpFilesize
4KB
-
memory/660-121-0x0000000005440000-0x000000000545E000-memory.dmpFilesize
120KB
-
memory/660-122-0x0000000002EE0000-0x0000000002EE1000-memory.dmpFilesize
4KB
-
memory/660-123-0x0000000006070000-0x00000000060EA000-memory.dmpFilesize
488KB
-
memory/660-124-0x0000000008580000-0x00000000085B6000-memory.dmpFilesize
216KB
-
memory/3688-125-0x0000000000000000-mapping.dmp