Analysis
-
max time kernel
138s -
max time network
186s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
02-08-2021 05:02
Static task
static1
Behavioral task
behavioral1
Sample
A3D61C51677550BCAB428E66D5AE3080.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
A3D61C51677550BCAB428E66D5AE3080.exe
Resource
win10v20210408
General
-
Target
A3D61C51677550BCAB428E66D5AE3080.exe
-
Size
2.1MB
-
MD5
a3d61c51677550bcab428e66d5ae3080
-
SHA1
7ccd97e4c9afcd1006aaeb617f1d197d8913e34c
-
SHA256
ec2ff3ea783304168e8acdf7e60a3c4d97efa75bf922c10ee1b947d1b87a7cc2
-
SHA512
da991a168162ec3d0f551413bb9d7f21f3f20f9f171d8a81684f2cdde80883e9a06aaf789d3e8c48ee148b280d4cf757344d057187fb3839e031d94255b3e6cc
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
WScript.exeflow pid process 7 1320 WScript.exe -
Executes dropped EXE 1 IoCs
Processes:
setup.exepid process 1072 setup.exe -
Drops startup file 1 IoCs
Processes:
WScript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\info.js WScript.exe -
Loads dropped DLL 8 IoCs
Processes:
A3D61C51677550BCAB428E66D5AE3080.exeWerFault.exepid process 1644 A3D61C51677550BCAB428E66D5AE3080.exe 1704 WerFault.exe 1704 WerFault.exe 1704 WerFault.exe 1704 WerFault.exe 1704 WerFault.exe 1704 WerFault.exe 1704 WerFault.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WScript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\WEHHRB8F7I = "\"C:\\Users\\Admin\\AppData\\Roaming\\info.js\"" WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1704 1072 WerFault.exe setup.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 1704 WerFault.exe 1704 WerFault.exe 1704 WerFault.exe 1704 WerFault.exe 1704 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1704 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1704 WerFault.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
A3D61C51677550BCAB428E66D5AE3080.exesetup.exeWScript.exedescription pid process target process PID 1644 wrote to memory of 1320 1644 A3D61C51677550BCAB428E66D5AE3080.exe WScript.exe PID 1644 wrote to memory of 1320 1644 A3D61C51677550BCAB428E66D5AE3080.exe WScript.exe PID 1644 wrote to memory of 1320 1644 A3D61C51677550BCAB428E66D5AE3080.exe WScript.exe PID 1644 wrote to memory of 1320 1644 A3D61C51677550BCAB428E66D5AE3080.exe WScript.exe PID 1644 wrote to memory of 1072 1644 A3D61C51677550BCAB428E66D5AE3080.exe setup.exe PID 1644 wrote to memory of 1072 1644 A3D61C51677550BCAB428E66D5AE3080.exe setup.exe PID 1644 wrote to memory of 1072 1644 A3D61C51677550BCAB428E66D5AE3080.exe setup.exe PID 1644 wrote to memory of 1072 1644 A3D61C51677550BCAB428E66D5AE3080.exe setup.exe PID 1072 wrote to memory of 1704 1072 setup.exe WerFault.exe PID 1072 wrote to memory of 1704 1072 setup.exe WerFault.exe PID 1072 wrote to memory of 1704 1072 setup.exe WerFault.exe PID 1320 wrote to memory of 1324 1320 WScript.exe schtasks.exe PID 1320 wrote to memory of 1324 1320 WScript.exe schtasks.exe PID 1320 wrote to memory of 1324 1320 WScript.exe schtasks.exe PID 1320 wrote to memory of 1324 1320 WScript.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\A3D61C51677550BCAB428E66D5AE3080.exe"C:\Users\Admin\AppData\Local\Temp\A3D61C51677550BCAB428E66D5AE3080.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\info.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn anydesk /tr "C:\Users\Admin\AppData\Roaming\info.js3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1072 -s 4763⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\info.jsMD5
6a89d3b24b67760618efe3d28c9011db
SHA19bdfcb2d237c91ea38b731611a135e345121729f
SHA2560e54f80cede9e1aabf88c1676774c24888b5c72f34acdb1c88dc6e026abc76c4
SHA512413153600e6a932a7f07394284ae4ee4a66916c72ff5375062374a6899bb81c96000972c4d376db46dba25385b3ca02c6704cfbac58ca948a01edc1b08658f5c
-
C:\Users\Admin\AppData\Local\Temp\setup.exeMD5
31adbc555a9df3e7a17fe6077c1dae93
SHA1231f3c01e17fc3f9ae898c7317f4e4eee386cde1
SHA25616f8c2fc708874cf0648770c9910f481fe0f46e555ad57397247f5ce8b3b0de8
SHA512991f8b0140635bfb37fce3b457021543e2ee4d6c80000534cbe515d15a6f02ff2c8b9e2f3e78a46a985eafcc2abcd9b0eb219bca29cb7af4544a9b33a0a0ca33
-
C:\Users\Admin\AppData\Local\Temp\setup.exeMD5
31adbc555a9df3e7a17fe6077c1dae93
SHA1231f3c01e17fc3f9ae898c7317f4e4eee386cde1
SHA25616f8c2fc708874cf0648770c9910f481fe0f46e555ad57397247f5ce8b3b0de8
SHA512991f8b0140635bfb37fce3b457021543e2ee4d6c80000534cbe515d15a6f02ff2c8b9e2f3e78a46a985eafcc2abcd9b0eb219bca29cb7af4544a9b33a0a0ca33
-
\Users\Admin\AppData\Local\Temp\setup.exeMD5
31adbc555a9df3e7a17fe6077c1dae93
SHA1231f3c01e17fc3f9ae898c7317f4e4eee386cde1
SHA25616f8c2fc708874cf0648770c9910f481fe0f46e555ad57397247f5ce8b3b0de8
SHA512991f8b0140635bfb37fce3b457021543e2ee4d6c80000534cbe515d15a6f02ff2c8b9e2f3e78a46a985eafcc2abcd9b0eb219bca29cb7af4544a9b33a0a0ca33
-
\Users\Admin\AppData\Local\Temp\setup.exeMD5
31adbc555a9df3e7a17fe6077c1dae93
SHA1231f3c01e17fc3f9ae898c7317f4e4eee386cde1
SHA25616f8c2fc708874cf0648770c9910f481fe0f46e555ad57397247f5ce8b3b0de8
SHA512991f8b0140635bfb37fce3b457021543e2ee4d6c80000534cbe515d15a6f02ff2c8b9e2f3e78a46a985eafcc2abcd9b0eb219bca29cb7af4544a9b33a0a0ca33
-
\Users\Admin\AppData\Local\Temp\setup.exeMD5
31adbc555a9df3e7a17fe6077c1dae93
SHA1231f3c01e17fc3f9ae898c7317f4e4eee386cde1
SHA25616f8c2fc708874cf0648770c9910f481fe0f46e555ad57397247f5ce8b3b0de8
SHA512991f8b0140635bfb37fce3b457021543e2ee4d6c80000534cbe515d15a6f02ff2c8b9e2f3e78a46a985eafcc2abcd9b0eb219bca29cb7af4544a9b33a0a0ca33
-
\Users\Admin\AppData\Local\Temp\setup.exeMD5
31adbc555a9df3e7a17fe6077c1dae93
SHA1231f3c01e17fc3f9ae898c7317f4e4eee386cde1
SHA25616f8c2fc708874cf0648770c9910f481fe0f46e555ad57397247f5ce8b3b0de8
SHA512991f8b0140635bfb37fce3b457021543e2ee4d6c80000534cbe515d15a6f02ff2c8b9e2f3e78a46a985eafcc2abcd9b0eb219bca29cb7af4544a9b33a0a0ca33
-
\Users\Admin\AppData\Local\Temp\setup.exeMD5
31adbc555a9df3e7a17fe6077c1dae93
SHA1231f3c01e17fc3f9ae898c7317f4e4eee386cde1
SHA25616f8c2fc708874cf0648770c9910f481fe0f46e555ad57397247f5ce8b3b0de8
SHA512991f8b0140635bfb37fce3b457021543e2ee4d6c80000534cbe515d15a6f02ff2c8b9e2f3e78a46a985eafcc2abcd9b0eb219bca29cb7af4544a9b33a0a0ca33
-
\Users\Admin\AppData\Local\Temp\setup.exeMD5
31adbc555a9df3e7a17fe6077c1dae93
SHA1231f3c01e17fc3f9ae898c7317f4e4eee386cde1
SHA25616f8c2fc708874cf0648770c9910f481fe0f46e555ad57397247f5ce8b3b0de8
SHA512991f8b0140635bfb37fce3b457021543e2ee4d6c80000534cbe515d15a6f02ff2c8b9e2f3e78a46a985eafcc2abcd9b0eb219bca29cb7af4544a9b33a0a0ca33
-
\Users\Admin\AppData\Local\Temp\setup.exeMD5
31adbc555a9df3e7a17fe6077c1dae93
SHA1231f3c01e17fc3f9ae898c7317f4e4eee386cde1
SHA25616f8c2fc708874cf0648770c9910f481fe0f46e555ad57397247f5ce8b3b0de8
SHA512991f8b0140635bfb37fce3b457021543e2ee4d6c80000534cbe515d15a6f02ff2c8b9e2f3e78a46a985eafcc2abcd9b0eb219bca29cb7af4544a9b33a0a0ca33
-
\Users\Admin\AppData\Local\Temp\setup.exeMD5
31adbc555a9df3e7a17fe6077c1dae93
SHA1231f3c01e17fc3f9ae898c7317f4e4eee386cde1
SHA25616f8c2fc708874cf0648770c9910f481fe0f46e555ad57397247f5ce8b3b0de8
SHA512991f8b0140635bfb37fce3b457021543e2ee4d6c80000534cbe515d15a6f02ff2c8b9e2f3e78a46a985eafcc2abcd9b0eb219bca29cb7af4544a9b33a0a0ca33
-
memory/1072-64-0x0000000000000000-mapping.dmp
-
memory/1072-67-0x000000013FA80000-0x000000013FA81000-memory.dmpFilesize
4KB
-
memory/1320-60-0x0000000000000000-mapping.dmp
-
memory/1324-79-0x0000000000000000-mapping.dmp
-
memory/1644-59-0x00000000766D1000-0x00000000766D3000-memory.dmpFilesize
8KB
-
memory/1704-70-0x000007FEFBFF1000-0x000007FEFBFF3000-memory.dmpFilesize
8KB
-
memory/1704-69-0x0000000000000000-mapping.dmp
-
memory/1704-78-0x00000000022F0000-0x00000000022F1000-memory.dmpFilesize
4KB