Analysis
-
max time kernel
146s -
max time network
130s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
04-10-2021 15:59
Static task
static1
Behavioral task
behavioral1
Sample
5028df0da2732dc8528ca9b7d7e41be5.exe
Resource
win7-en-20210920
General
-
Target
5028df0da2732dc8528ca9b7d7e41be5.exe
-
Size
20KB
-
MD5
5028df0da2732dc8528ca9b7d7e41be5
-
SHA1
462a178ab8063511109a91e11d44443485edd49d
-
SHA256
9bd273556358606717f3d0e7d4a2521dba396d6838d8dfccb78bfc5c98590b84
-
SHA512
dc31474f8a6ac3a1ca811a769a6c8c13b7beec22071565a37cbd8db85831e5d0fc3f270dc1328705849c23fac6eb7c1b55bc255db69ec3d7380771914fc8c3ae
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1364 1324 WerFault.exe 5028df0da2732dc8528ca9b7d7e41be5.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepowershell.exeWerFault.exepid process 1604 powershell.exe 1376 powershell.exe 1364 WerFault.exe 1364 WerFault.exe 1364 WerFault.exe 1364 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1364 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exepowershell.exe5028df0da2732dc8528ca9b7d7e41be5.exeWerFault.exedescription pid process Token: SeDebugPrivilege 1604 powershell.exe Token: SeDebugPrivilege 1376 powershell.exe Token: SeDebugPrivilege 1324 5028df0da2732dc8528ca9b7d7e41be5.exe Token: SeDebugPrivilege 1364 WerFault.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
5028df0da2732dc8528ca9b7d7e41be5.exedescription pid process target process PID 1324 wrote to memory of 1604 1324 5028df0da2732dc8528ca9b7d7e41be5.exe powershell.exe PID 1324 wrote to memory of 1604 1324 5028df0da2732dc8528ca9b7d7e41be5.exe powershell.exe PID 1324 wrote to memory of 1604 1324 5028df0da2732dc8528ca9b7d7e41be5.exe powershell.exe PID 1324 wrote to memory of 1604 1324 5028df0da2732dc8528ca9b7d7e41be5.exe powershell.exe PID 1324 wrote to memory of 1376 1324 5028df0da2732dc8528ca9b7d7e41be5.exe powershell.exe PID 1324 wrote to memory of 1376 1324 5028df0da2732dc8528ca9b7d7e41be5.exe powershell.exe PID 1324 wrote to memory of 1376 1324 5028df0da2732dc8528ca9b7d7e41be5.exe powershell.exe PID 1324 wrote to memory of 1376 1324 5028df0da2732dc8528ca9b7d7e41be5.exe powershell.exe PID 1324 wrote to memory of 1364 1324 5028df0da2732dc8528ca9b7d7e41be5.exe WerFault.exe PID 1324 wrote to memory of 1364 1324 5028df0da2732dc8528ca9b7d7e41be5.exe WerFault.exe PID 1324 wrote to memory of 1364 1324 5028df0da2732dc8528ca9b7d7e41be5.exe WerFault.exe PID 1324 wrote to memory of 1364 1324 5028df0da2732dc8528ca9b7d7e41be5.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5028df0da2732dc8528ca9b7d7e41be5.exe"C:\Users\Admin\AppData\Local\Temp\5028df0da2732dc8528ca9b7d7e41be5.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 102⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1604 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 102⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1376 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1324 -s 18202⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1364
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5e0cf37e8966001763342215d979501be
SHA19322ff60a36d809a8b0ff93fd1b3b6b15123d30c
SHA25643e19459b78e09eab8f3a4d5f94a7afcaeadf1d8bdda726b4d36cc14b4db8bf4
SHA5128980faff2d6eafb88a91929a775c59bd8e51a438c4aaf669118772ef49cbfd20068b314454b994597c791e61d5e8c36dc75e5c1c21788ac99f8e6524b60a1856