Analysis
-
max time kernel
112s -
max time network
34s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
22-08-2021 04:11
Static task
static1
Behavioral task
behavioral1
Sample
Privacy By Design - Training Module.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Privacy By Design - Training Module.exe
Resource
win10v20210408
General
-
Target
Privacy By Design - Training Module.exe
-
Size
724KB
-
MD5
82126e6a1d3b1bb5b1d1c3ddbb256b0e
-
SHA1
2259e9b89fcfd3e01d2e1554b32b478fc0f6396c
-
SHA256
aa438f22db488466ed39153b302b4f7557ca4bcc44ba35f83ad2dc8a04903398
-
SHA512
6795d4872554840c5a1bb4ed415c3d948c3384348ea8c18e30d74c8d800d554956003a048a4d7bceac9b670f7fd350c1a2aaa8d07725cce3138cf1fa036ac4f9
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Privacy By Design - Training Module.exepid process 784 Privacy By Design - Training Module.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 752 784 WerFault.exe Privacy By Design - Training Module.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
Privacy By Design - Training Module.exePrivacy By Design - Training Module.exeWerFault.exepid process 2028 Privacy By Design - Training Module.exe 2028 Privacy By Design - Training Module.exe 784 Privacy By Design - Training Module.exe 784 Privacy By Design - Training Module.exe 784 Privacy By Design - Training Module.exe 784 Privacy By Design - Training Module.exe 752 WerFault.exe 752 WerFault.exe 752 WerFault.exe 752 WerFault.exe 752 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 752 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Privacy By Design - Training Module.exePrivacy By Design - Training Module.exeWerFault.exedescription pid process Token: SeDebugPrivilege 2028 Privacy By Design - Training Module.exe Token: SeDebugPrivilege 784 Privacy By Design - Training Module.exe Token: SeDebugPrivilege 752 WerFault.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Privacy By Design - Training Module.exePrivacy By Design - Training Module.exedescription pid process target process PID 2028 wrote to memory of 784 2028 Privacy By Design - Training Module.exe Privacy By Design - Training Module.exe PID 2028 wrote to memory of 784 2028 Privacy By Design - Training Module.exe Privacy By Design - Training Module.exe PID 2028 wrote to memory of 784 2028 Privacy By Design - Training Module.exe Privacy By Design - Training Module.exe PID 784 wrote to memory of 752 784 Privacy By Design - Training Module.exe WerFault.exe PID 784 wrote to memory of 752 784 Privacy By Design - Training Module.exe WerFault.exe PID 784 wrote to memory of 752 784 Privacy By Design - Training Module.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Privacy By Design - Training Module.exe"C:\Users\Admin\AppData\Local\Temp\Privacy By Design - Training Module.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Privacy By Design - Training Module.exe"C:\Users\Admin\AppData\Roaming\Privacy By Design - Training Module.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 784 -s 5683⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Privacy By Design - Training Module.exeMD5
82126e6a1d3b1bb5b1d1c3ddbb256b0e
SHA12259e9b89fcfd3e01d2e1554b32b478fc0f6396c
SHA256aa438f22db488466ed39153b302b4f7557ca4bcc44ba35f83ad2dc8a04903398
SHA5126795d4872554840c5a1bb4ed415c3d948c3384348ea8c18e30d74c8d800d554956003a048a4d7bceac9b670f7fd350c1a2aaa8d07725cce3138cf1fa036ac4f9
-
C:\Users\Admin\AppData\Roaming\Privacy By Design - Training Module.exeMD5
82126e6a1d3b1bb5b1d1c3ddbb256b0e
SHA12259e9b89fcfd3e01d2e1554b32b478fc0f6396c
SHA256aa438f22db488466ed39153b302b4f7557ca4bcc44ba35f83ad2dc8a04903398
SHA5126795d4872554840c5a1bb4ed415c3d948c3384348ea8c18e30d74c8d800d554956003a048a4d7bceac9b670f7fd350c1a2aaa8d07725cce3138cf1fa036ac4f9
-
memory/752-67-0x0000000000000000-mapping.dmp
-
memory/752-68-0x000007FEFC411000-0x000007FEFC413000-memory.dmpFilesize
8KB
-
memory/752-69-0x0000000001C60000-0x0000000001C61000-memory.dmpFilesize
4KB
-
memory/784-62-0x0000000000000000-mapping.dmp
-
memory/784-65-0x0000000000320000-0x0000000000321000-memory.dmpFilesize
4KB
-
memory/2028-60-0x0000000000C00000-0x0000000000C01000-memory.dmpFilesize
4KB