Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
21-10-2021 11:00
Static task
static1
Behavioral task
behavioral1
Sample
1be75ae8266bee2a29b8846a503fbd44.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
1be75ae8266bee2a29b8846a503fbd44.exe
Resource
win10-en-20210920
General
-
Target
1be75ae8266bee2a29b8846a503fbd44.exe
-
Size
234KB
-
MD5
1be75ae8266bee2a29b8846a503fbd44
-
SHA1
c7c70d46a08ee09f94e65cadbb86eeb706989db5
-
SHA256
6abec81da375b886b6e0fe09360f68980fcc3f51f00dbcdaf3a7945420e73b57
-
SHA512
e478fc3f17cbd151e08a96977706e3976c34bbaaf0a4dec01b7bef9d461dd78a5f6e8449d6cdf46850b20746df9887ca993befe3cce1dbe27a9eb2b7960842d0
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
1be75ae8266bee2a29b8846a503fbd44.exepid process 1552 1be75ae8266bee2a29b8846a503fbd44.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 328 672 WerFault.exe 1be75ae8266bee2a29b8846a503fbd44.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 328 WerFault.exe 328 WerFault.exe 328 WerFault.exe 328 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 328 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 328 WerFault.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
1be75ae8266bee2a29b8846a503fbd44.exe1be75ae8266bee2a29b8846a503fbd44.exedescription pid process target process PID 1552 wrote to memory of 672 1552 1be75ae8266bee2a29b8846a503fbd44.exe 1be75ae8266bee2a29b8846a503fbd44.exe PID 1552 wrote to memory of 672 1552 1be75ae8266bee2a29b8846a503fbd44.exe 1be75ae8266bee2a29b8846a503fbd44.exe PID 1552 wrote to memory of 672 1552 1be75ae8266bee2a29b8846a503fbd44.exe 1be75ae8266bee2a29b8846a503fbd44.exe PID 1552 wrote to memory of 672 1552 1be75ae8266bee2a29b8846a503fbd44.exe 1be75ae8266bee2a29b8846a503fbd44.exe PID 1552 wrote to memory of 672 1552 1be75ae8266bee2a29b8846a503fbd44.exe 1be75ae8266bee2a29b8846a503fbd44.exe PID 1552 wrote to memory of 672 1552 1be75ae8266bee2a29b8846a503fbd44.exe 1be75ae8266bee2a29b8846a503fbd44.exe PID 1552 wrote to memory of 672 1552 1be75ae8266bee2a29b8846a503fbd44.exe 1be75ae8266bee2a29b8846a503fbd44.exe PID 1552 wrote to memory of 672 1552 1be75ae8266bee2a29b8846a503fbd44.exe 1be75ae8266bee2a29b8846a503fbd44.exe PID 1552 wrote to memory of 672 1552 1be75ae8266bee2a29b8846a503fbd44.exe 1be75ae8266bee2a29b8846a503fbd44.exe PID 1552 wrote to memory of 672 1552 1be75ae8266bee2a29b8846a503fbd44.exe 1be75ae8266bee2a29b8846a503fbd44.exe PID 1552 wrote to memory of 672 1552 1be75ae8266bee2a29b8846a503fbd44.exe 1be75ae8266bee2a29b8846a503fbd44.exe PID 1552 wrote to memory of 672 1552 1be75ae8266bee2a29b8846a503fbd44.exe 1be75ae8266bee2a29b8846a503fbd44.exe PID 1552 wrote to memory of 672 1552 1be75ae8266bee2a29b8846a503fbd44.exe 1be75ae8266bee2a29b8846a503fbd44.exe PID 1552 wrote to memory of 672 1552 1be75ae8266bee2a29b8846a503fbd44.exe 1be75ae8266bee2a29b8846a503fbd44.exe PID 672 wrote to memory of 328 672 1be75ae8266bee2a29b8846a503fbd44.exe WerFault.exe PID 672 wrote to memory of 328 672 1be75ae8266bee2a29b8846a503fbd44.exe WerFault.exe PID 672 wrote to memory of 328 672 1be75ae8266bee2a29b8846a503fbd44.exe WerFault.exe PID 672 wrote to memory of 328 672 1be75ae8266bee2a29b8846a503fbd44.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1be75ae8266bee2a29b8846a503fbd44.exe"C:\Users\Admin\AppData\Local\Temp\1be75ae8266bee2a29b8846a503fbd44.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Users\Admin\AppData\Local\Temp\1be75ae8266bee2a29b8846a503fbd44.exe"C:\Users\Admin\AppData\Local\Temp\1be75ae8266bee2a29b8846a503fbd44.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 672 -s 1483⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:328
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsnBFE6.tmp\xwaahew.dllMD5
1792a656868a4d2689ed3d4b577d7426
SHA1bb62d812490c8d3154b9f34d72d75b9c0239d820
SHA256ec60e96dc49a9fc57aabe1a6c6fcd58bab85010916de0b299a95af44ef332dd1
SHA512b2408f5c9d1752f01189a180912e6d985e929a95c82904028157eeda33e01a7bfb654dd7930faee97af97ec1f5162b4e7b0d7777d11ddeeb39b4c0c520aa62ff
-
memory/328-67-0x0000000000000000-mapping.dmp
-
memory/328-69-0x0000000000550000-0x000000000057E000-memory.dmpFilesize
184KB
-
memory/672-57-0x0000000000000000-mapping.dmp
-
memory/672-58-0x00000000001C0000-0x00000000001DB000-memory.dmpFilesize
108KB
-
memory/672-62-0x00000000001C0000-0x00000000001DB000-memory.dmpFilesize
108KB
-
memory/1552-55-0x0000000075B71000-0x0000000075B73000-memory.dmpFilesize
8KB