Overview

overview

10

Static

static

416e85c0a8...f5.exe

windows7_x64

10

416e85c0a8...f5.exe

windows10_x64

10

Analysis

  • max time kernel
    254s
  • max time network
    279s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    23-06-2021 13:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    416e85c0a86fbe8a3e874b3119e208e6003891a34b64dfe4d3c2cc3211fab4f5.exe

  • Size

    369KB

  • MD5

    331b8604ba1ee60396d11c0ccd628ebb

  • SHA1

    637fde23551e378a3fcbecb64c64b8e51ece23b2

  • SHA256

    416e85c0a86fbe8a3e874b3119e208e6003891a34b64dfe4d3c2cc3211fab4f5

  • SHA512

    c55f673ae5a2c19e75585ef124161d72ac83959e8606e397388271290058f3ea4810a7ec39a00d8053138bf26ea96402e8dbe13bca186ec71fc8257442ec82c6

Score
10/10

Malware Config

Signatures

  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Downloads MZ/PE file
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\416e85c0a86fbe8a3e874b3119e208e6003891a34b64dfe4d3c2cc3211fab4f5.exe
    "C:\Users\Admin\AppData\Local\Temp\416e85c0a86fbe8a3e874b3119e208e6003891a34b64dfe4d3c2cc3211fab4f5.exe"
    1⤵
      PID:4444
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 664
        2⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3152
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 772
        2⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3156
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 748
        2⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2252
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 792
        2⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4056
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 892
        2⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2112
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 1312
        2⤵
        • Program crash
        • Suspicious use of AdjustPrivilegeToken
        PID:8
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 1300
        2⤵
        • Program crash
        • Suspicious use of AdjustPrivilegeToken
        PID:1804
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 1444
        2⤵
        • Program crash
        • Suspicious use of AdjustPrivilegeToken
        PID:4224
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 1420
        2⤵
        • Suspicious use of NtCreateProcessExOtherParentProcess
        • Program crash
        • Suspicious use of AdjustPrivilegeToken
        PID:4212

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/4444-114-0x00000000006B0000-0x00000000006E0000-memory.dmp

      Filesize

      192KB

      Download

    • memory/4444-115-0x0000000000400000-0x0000000000473000-memory.dmp

      Filesize

      460KB

      Download