Analysis
-
max time kernel
119s -
max time network
122s -
submitted
01-01-1970 00:00
Static task
static1
Behavioral task
behavioral1
Sample
df330ab2a2e5aa4ac947315ee3f93992.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
df330ab2a2e5aa4ac947315ee3f93992.exe
Resource
win10-en-20211014
General
-
Target
df330ab2a2e5aa4ac947315ee3f93992.exe
-
Size
230KB
-
MD5
df330ab2a2e5aa4ac947315ee3f93992
-
SHA1
76b5d1eee342b47fe58e2136a067712cbd210351
-
SHA256
99a897c5b8f53e1d04e51107c748a4f385b754a852ca6b605559f5b50820a64f
-
SHA512
e65f573d68e8f198024028d553210095173d1551e6074b60d9543977116a0286f75641f4692049a49e6cd03729b001027136419d6cf0c71645e800d5522ed895
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
df330ab2a2e5aa4ac947315ee3f93992.exepid process 792 df330ab2a2e5aa4ac947315ee3f93992.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 288 1148 WerFault.exe df330ab2a2e5aa4ac947315ee3f93992.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 288 WerFault.exe 288 WerFault.exe 288 WerFault.exe 288 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 288 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 288 WerFault.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
df330ab2a2e5aa4ac947315ee3f93992.exedf330ab2a2e5aa4ac947315ee3f93992.exedescription pid process target process PID 792 wrote to memory of 1148 792 df330ab2a2e5aa4ac947315ee3f93992.exe df330ab2a2e5aa4ac947315ee3f93992.exe PID 792 wrote to memory of 1148 792 df330ab2a2e5aa4ac947315ee3f93992.exe df330ab2a2e5aa4ac947315ee3f93992.exe PID 792 wrote to memory of 1148 792 df330ab2a2e5aa4ac947315ee3f93992.exe df330ab2a2e5aa4ac947315ee3f93992.exe PID 792 wrote to memory of 1148 792 df330ab2a2e5aa4ac947315ee3f93992.exe df330ab2a2e5aa4ac947315ee3f93992.exe PID 792 wrote to memory of 1148 792 df330ab2a2e5aa4ac947315ee3f93992.exe df330ab2a2e5aa4ac947315ee3f93992.exe PID 792 wrote to memory of 1148 792 df330ab2a2e5aa4ac947315ee3f93992.exe df330ab2a2e5aa4ac947315ee3f93992.exe PID 792 wrote to memory of 1148 792 df330ab2a2e5aa4ac947315ee3f93992.exe df330ab2a2e5aa4ac947315ee3f93992.exe PID 792 wrote to memory of 1148 792 df330ab2a2e5aa4ac947315ee3f93992.exe df330ab2a2e5aa4ac947315ee3f93992.exe PID 792 wrote to memory of 1148 792 df330ab2a2e5aa4ac947315ee3f93992.exe df330ab2a2e5aa4ac947315ee3f93992.exe PID 792 wrote to memory of 1148 792 df330ab2a2e5aa4ac947315ee3f93992.exe df330ab2a2e5aa4ac947315ee3f93992.exe PID 792 wrote to memory of 1148 792 df330ab2a2e5aa4ac947315ee3f93992.exe df330ab2a2e5aa4ac947315ee3f93992.exe PID 792 wrote to memory of 1148 792 df330ab2a2e5aa4ac947315ee3f93992.exe df330ab2a2e5aa4ac947315ee3f93992.exe PID 792 wrote to memory of 1148 792 df330ab2a2e5aa4ac947315ee3f93992.exe df330ab2a2e5aa4ac947315ee3f93992.exe PID 792 wrote to memory of 1148 792 df330ab2a2e5aa4ac947315ee3f93992.exe df330ab2a2e5aa4ac947315ee3f93992.exe PID 1148 wrote to memory of 288 1148 df330ab2a2e5aa4ac947315ee3f93992.exe WerFault.exe PID 1148 wrote to memory of 288 1148 df330ab2a2e5aa4ac947315ee3f93992.exe WerFault.exe PID 1148 wrote to memory of 288 1148 df330ab2a2e5aa4ac947315ee3f93992.exe WerFault.exe PID 1148 wrote to memory of 288 1148 df330ab2a2e5aa4ac947315ee3f93992.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\df330ab2a2e5aa4ac947315ee3f93992.exe"C:\Users\Admin\AppData\Local\Temp\df330ab2a2e5aa4ac947315ee3f93992.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Users\Admin\AppData\Local\Temp\df330ab2a2e5aa4ac947315ee3f93992.exe"C:\Users\Admin\AppData\Local\Temp\df330ab2a2e5aa4ac947315ee3f93992.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 1483⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:288
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsiC7B3.tmp\oxtrp.dllMD5
c2c405109b51233def2b5bf15ffd2308
SHA114debd98b26edba7788aafcaa41f1d32e8fe1cbc
SHA2567e16ed39ba05c887e6d1b470b6cc8de06fd67ed81fb2da85f645cfbc643ca154
SHA5121c209d4110dc5295d5ba951cf5a22d62ab1bf65d9b5bf66f4c6a2e8e2f2cfd339f06cddf6b956d5f9a567ec8206d607753833ce94e14149d5bbc1b596c91b80b
-
memory/288-66-0x0000000000000000-mapping.dmp
-
memory/288-68-0x0000000000840000-0x000000000086E000-memory.dmpFilesize
184KB
-
memory/792-54-0x00000000751A1000-0x00000000751A3000-memory.dmpFilesize
8KB
-
memory/1148-56-0x0000000000000000-mapping.dmp
-
memory/1148-57-0x00000000001C0000-0x00000000001DB000-memory.dmpFilesize
108KB
-
memory/1148-61-0x00000000001C0000-0x00000000001DB000-memory.dmpFilesize
108KB