Analysis
-
max time kernel
120s -
max time network
142s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
22-10-2021 10:53
Static task
static1
Behavioral task
behavioral1
Sample
8efc94a68d078ed67459403c868aa9f0.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
8efc94a68d078ed67459403c868aa9f0.exe
Resource
win10-en-20210920
General
-
Target
8efc94a68d078ed67459403c868aa9f0.exe
-
Size
238KB
-
MD5
8efc94a68d078ed67459403c868aa9f0
-
SHA1
64da6737b14dc11fb68fe4aef22981219ecbfd9f
-
SHA256
511f5c0a9946188ad3dbbb58c2e2e5564402d83dd77379a39c8a17c660a737da
-
SHA512
5fd1f0fb7113d11e5ee7921581da43a4b04c2afeecca9fbd623cae5ef2b19955cd456fd7ac230eeab344e12e6452b780f616b90a00ccc1f1606a443a54f5a9f6
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
8efc94a68d078ed67459403c868aa9f0.exepid process 852 8efc94a68d078ed67459403c868aa9f0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1548 1612 WerFault.exe 8efc94a68d078ed67459403c868aa9f0.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 1548 WerFault.exe 1548 WerFault.exe 1548 WerFault.exe 1548 WerFault.exe 1548 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1548 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1548 WerFault.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
8efc94a68d078ed67459403c868aa9f0.exe8efc94a68d078ed67459403c868aa9f0.exedescription pid process target process PID 852 wrote to memory of 1612 852 8efc94a68d078ed67459403c868aa9f0.exe 8efc94a68d078ed67459403c868aa9f0.exe PID 852 wrote to memory of 1612 852 8efc94a68d078ed67459403c868aa9f0.exe 8efc94a68d078ed67459403c868aa9f0.exe PID 852 wrote to memory of 1612 852 8efc94a68d078ed67459403c868aa9f0.exe 8efc94a68d078ed67459403c868aa9f0.exe PID 852 wrote to memory of 1612 852 8efc94a68d078ed67459403c868aa9f0.exe 8efc94a68d078ed67459403c868aa9f0.exe PID 852 wrote to memory of 1612 852 8efc94a68d078ed67459403c868aa9f0.exe 8efc94a68d078ed67459403c868aa9f0.exe PID 852 wrote to memory of 1612 852 8efc94a68d078ed67459403c868aa9f0.exe 8efc94a68d078ed67459403c868aa9f0.exe PID 852 wrote to memory of 1612 852 8efc94a68d078ed67459403c868aa9f0.exe 8efc94a68d078ed67459403c868aa9f0.exe PID 852 wrote to memory of 1612 852 8efc94a68d078ed67459403c868aa9f0.exe 8efc94a68d078ed67459403c868aa9f0.exe PID 852 wrote to memory of 1612 852 8efc94a68d078ed67459403c868aa9f0.exe 8efc94a68d078ed67459403c868aa9f0.exe PID 852 wrote to memory of 1612 852 8efc94a68d078ed67459403c868aa9f0.exe 8efc94a68d078ed67459403c868aa9f0.exe PID 852 wrote to memory of 1612 852 8efc94a68d078ed67459403c868aa9f0.exe 8efc94a68d078ed67459403c868aa9f0.exe PID 852 wrote to memory of 1612 852 8efc94a68d078ed67459403c868aa9f0.exe 8efc94a68d078ed67459403c868aa9f0.exe PID 852 wrote to memory of 1612 852 8efc94a68d078ed67459403c868aa9f0.exe 8efc94a68d078ed67459403c868aa9f0.exe PID 852 wrote to memory of 1612 852 8efc94a68d078ed67459403c868aa9f0.exe 8efc94a68d078ed67459403c868aa9f0.exe PID 1612 wrote to memory of 1548 1612 8efc94a68d078ed67459403c868aa9f0.exe WerFault.exe PID 1612 wrote to memory of 1548 1612 8efc94a68d078ed67459403c868aa9f0.exe WerFault.exe PID 1612 wrote to memory of 1548 1612 8efc94a68d078ed67459403c868aa9f0.exe WerFault.exe PID 1612 wrote to memory of 1548 1612 8efc94a68d078ed67459403c868aa9f0.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8efc94a68d078ed67459403c868aa9f0.exe"C:\Users\Admin\AppData\Local\Temp\8efc94a68d078ed67459403c868aa9f0.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Users\Admin\AppData\Local\Temp\8efc94a68d078ed67459403c868aa9f0.exe"C:\Users\Admin\AppData\Local\Temp\8efc94a68d078ed67459403c868aa9f0.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 1483⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1548
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nst57E.tmp\edjaxef.dllMD5
91b963a246288264ddf484d3b69741a1
SHA115168c8dd766c2046f891e085e08fae5a368665d
SHA2568477871a37fc72bdc5eaec5d690e67421209e6fbeb3b6d278044de3686df650c
SHA51299fd9259be65abef388a7763cbd7b3de5252bcd3827a36bf970989a73e87b76c35cfab6bc6c035057b5e1a78f924585577ffb9f88500fc300ed727955de72652
-
memory/852-54-0x00000000768C1000-0x00000000768C3000-memory.dmpFilesize
8KB
-
memory/1548-66-0x0000000000000000-mapping.dmp
-
memory/1548-68-0x00000000002C0000-0x00000000002C1000-memory.dmpFilesize
4KB
-
memory/1612-57-0x00000000001C0000-0x00000000001DB000-memory.dmpFilesize
108KB
-
memory/1612-56-0x0000000000000000-mapping.dmp
-
memory/1612-61-0x00000000001C0000-0x00000000001DB000-memory.dmpFilesize
108KB