Analysis
-
max time kernel
106s -
max time network
139s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
21-06-2021 00:58
Static task
static1
Behavioral task
behavioral1
Sample
발주분(신규)_10115_[새너]_210618.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
발주분(신규)_10115_[새너]_210618.exe
Resource
win10v20210410
General
-
Target
발주분(신규)_10115_[새너]_210618.exe
-
Size
896KB
-
MD5
e09894bf14893c505a994a382c4d6a62
-
SHA1
b4965362953a87cc854e08f1e5a19d9ecc10871e
-
SHA256
e8744060c5568394940066bc2a220430ab1d62fbaca0239d7a51352f666220ff
-
SHA512
0c86272483d6e9f67a7ba8de5b86ca44064b2a5cbe5783ef3dc28b2bca1a3084a79efa8e50e068b1d80efb17509edd752f44fd3a1417904701ff2f59dc1d4e81
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3656 2256 WerFault.exe 발주분(신규)_10115_[새너]_210618.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
발주분(신규)_10115_[새너]_210618.exeWerFault.exepid process 2256 발주분(신규)_10115_[새너]_210618.exe 2256 발주분(신규)_10115_[새너]_210618.exe 3656 WerFault.exe 3656 WerFault.exe 3656 WerFault.exe 3656 WerFault.exe 3656 WerFault.exe 3656 WerFault.exe 3656 WerFault.exe 3656 WerFault.exe 3656 WerFault.exe 3656 WerFault.exe 3656 WerFault.exe 3656 WerFault.exe 3656 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
발주분(신규)_10115_[새너]_210618.exeWerFault.exedescription pid process Token: SeDebugPrivilege 2256 발주분(신규)_10115_[새너]_210618.exe Token: SeRestorePrivilege 3656 WerFault.exe Token: SeBackupPrivilege 3656 WerFault.exe Token: SeDebugPrivilege 3656 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
발주분(신규)_10115_[새너]_210618.exedescription pid process target process PID 2256 wrote to memory of 3308 2256 발주분(신규)_10115_[새너]_210618.exe schtasks.exe PID 2256 wrote to memory of 3308 2256 발주분(신규)_10115_[새너]_210618.exe schtasks.exe PID 2256 wrote to memory of 3308 2256 발주분(신규)_10115_[새너]_210618.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\발주분(신규)_10115_[새너]_210618.exe"C:\Users\Admin\AppData\Local\Temp\발주분(신규)_10115_[새너]_210618.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jnwsifLF" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF907.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 16162⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpF907.tmpMD5
7f6390aa78ab2b4fb54b4763082bfd7b
SHA1edaebb93635cc4bc7af39ea4b9518585ebf8fbd4
SHA2562f1db67964f3b6d24e1ca207b9b01cb19a3c6932e36e0547cc7cb2009aa7c041
SHA512098c39446f8d83768a51c74fcd4bd68363154e77e4e1549d9ba6413dc5bbcca316cf183bdac01c8f25d4af07e65eb60172f7ac4e1427130b0b6c3ced08a264c0
-
memory/2256-114-0x0000000000B10000-0x0000000000B11000-memory.dmpFilesize
4KB
-
memory/2256-116-0x00000000078B0000-0x00000000078B1000-memory.dmpFilesize
4KB
-
memory/2256-117-0x0000000007E50000-0x0000000007E51000-memory.dmpFilesize
4KB
-
memory/2256-118-0x00000000079F0000-0x00000000079F1000-memory.dmpFilesize
4KB
-
memory/2256-119-0x0000000007980000-0x0000000007981000-memory.dmpFilesize
4KB
-
memory/2256-120-0x0000000007C10000-0x0000000007C11000-memory.dmpFilesize
4KB
-
memory/2256-121-0x00000000079A0000-0x00000000079B6000-memory.dmpFilesize
88KB
-
memory/2256-122-0x0000000007950000-0x0000000007E4E000-memory.dmpFilesize
5.0MB
-
memory/2256-123-0x00000000085C0000-0x000000000862F000-memory.dmpFilesize
444KB
-
memory/2256-124-0x0000000002E20000-0x0000000002E58000-memory.dmpFilesize
224KB
-
memory/3308-125-0x0000000000000000-mapping.dmp