Analysis
-
max time kernel
150s -
max time network
136s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
28-09-2021 07:00
Static task
static1
Behavioral task
behavioral1
Sample
d0a801b89e60cb6ccf654a9baa290783.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
d0a801b89e60cb6ccf654a9baa290783.exe
Resource
win10v20210408
General
-
Target
d0a801b89e60cb6ccf654a9baa290783.exe
-
Size
280KB
-
MD5
d0a801b89e60cb6ccf654a9baa290783
-
SHA1
03b0065ac6ae5667552501ba9d25c51b1bc3034d
-
SHA256
21260151f07549ff5e1dc07ca6281d3fa876483f1dd014afde823fa0a0e0a1a2
-
SHA512
daa434061ce27f202f511aa9f217d7aa945fcdab7e441c8ad8db6ac872289dae09d009950b09890065ee094db2da08950f4c9b7e59176255a570e9c4c3712575
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
d0a801b89e60cb6ccf654a9baa290783.exepid process 1548 d0a801b89e60cb6ccf654a9baa290783.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 960 1256 WerFault.exe d0a801b89e60cb6ccf654a9baa290783.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 960 WerFault.exe 960 WerFault.exe 960 WerFault.exe 960 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 960 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 960 WerFault.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
d0a801b89e60cb6ccf654a9baa290783.exed0a801b89e60cb6ccf654a9baa290783.exedescription pid process target process PID 1548 wrote to memory of 1256 1548 d0a801b89e60cb6ccf654a9baa290783.exe d0a801b89e60cb6ccf654a9baa290783.exe PID 1548 wrote to memory of 1256 1548 d0a801b89e60cb6ccf654a9baa290783.exe d0a801b89e60cb6ccf654a9baa290783.exe PID 1548 wrote to memory of 1256 1548 d0a801b89e60cb6ccf654a9baa290783.exe d0a801b89e60cb6ccf654a9baa290783.exe PID 1548 wrote to memory of 1256 1548 d0a801b89e60cb6ccf654a9baa290783.exe d0a801b89e60cb6ccf654a9baa290783.exe PID 1548 wrote to memory of 1256 1548 d0a801b89e60cb6ccf654a9baa290783.exe d0a801b89e60cb6ccf654a9baa290783.exe PID 1548 wrote to memory of 1256 1548 d0a801b89e60cb6ccf654a9baa290783.exe d0a801b89e60cb6ccf654a9baa290783.exe PID 1548 wrote to memory of 1256 1548 d0a801b89e60cb6ccf654a9baa290783.exe d0a801b89e60cb6ccf654a9baa290783.exe PID 1548 wrote to memory of 1256 1548 d0a801b89e60cb6ccf654a9baa290783.exe d0a801b89e60cb6ccf654a9baa290783.exe PID 1548 wrote to memory of 1256 1548 d0a801b89e60cb6ccf654a9baa290783.exe d0a801b89e60cb6ccf654a9baa290783.exe PID 1548 wrote to memory of 1256 1548 d0a801b89e60cb6ccf654a9baa290783.exe d0a801b89e60cb6ccf654a9baa290783.exe PID 1548 wrote to memory of 1256 1548 d0a801b89e60cb6ccf654a9baa290783.exe d0a801b89e60cb6ccf654a9baa290783.exe PID 1548 wrote to memory of 1256 1548 d0a801b89e60cb6ccf654a9baa290783.exe d0a801b89e60cb6ccf654a9baa290783.exe PID 1548 wrote to memory of 1256 1548 d0a801b89e60cb6ccf654a9baa290783.exe d0a801b89e60cb6ccf654a9baa290783.exe PID 1548 wrote to memory of 1256 1548 d0a801b89e60cb6ccf654a9baa290783.exe d0a801b89e60cb6ccf654a9baa290783.exe PID 1256 wrote to memory of 960 1256 d0a801b89e60cb6ccf654a9baa290783.exe WerFault.exe PID 1256 wrote to memory of 960 1256 d0a801b89e60cb6ccf654a9baa290783.exe WerFault.exe PID 1256 wrote to memory of 960 1256 d0a801b89e60cb6ccf654a9baa290783.exe WerFault.exe PID 1256 wrote to memory of 960 1256 d0a801b89e60cb6ccf654a9baa290783.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d0a801b89e60cb6ccf654a9baa290783.exe"C:\Users\Admin\AppData\Local\Temp\d0a801b89e60cb6ccf654a9baa290783.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Users\Admin\AppData\Local\Temp\d0a801b89e60cb6ccf654a9baa290783.exe"C:\Users\Admin\AppData\Local\Temp\d0a801b89e60cb6ccf654a9baa290783.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 1483⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:960
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nslC986.tmp\jotob.dllMD5
4895c38c883087d6e8c1488deeff9352
SHA14c0c677f3b3c11c2470b9dd7bed210a5371d6746
SHA256e854cd6f6b9585cc8f7c219375325ef1b2fa65d10313eb29c12b4ac6433b4c16
SHA512ac0f4055941e0e74730dd8bdf6684f7cbcaa373a95381da928ab0772f1aaf0632195b979373cef1fe3d4be56e2e6a54e2c6517f11c5111eccc1c30bad2dd9347
-
memory/960-62-0x0000000000000000-mapping.dmp
-
memory/960-64-0x00000000003A0000-0x00000000003A1000-memory.dmpFilesize
4KB
-
memory/1256-56-0x0000000000000000-mapping.dmp
-
memory/1256-57-0x00000000001C0000-0x00000000001DB000-memory.dmpFilesize
108KB
-
memory/1548-54-0x00000000762D1000-0x00000000762D3000-memory.dmpFilesize
8KB