Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
29-10-2021 18:57
Static task
static1
Behavioral task
behavioral1
Sample
8d97ea0aeb6dbb5bfe61a2a45809dd90.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
8d97ea0aeb6dbb5bfe61a2a45809dd90.exe
Resource
win10-en-20210920
General
-
Target
8d97ea0aeb6dbb5bfe61a2a45809dd90.exe
-
Size
234KB
-
MD5
8d97ea0aeb6dbb5bfe61a2a45809dd90
-
SHA1
c2abdfefadc76b9f78b500f5b3aba9321a5d42e1
-
SHA256
8397681fb127b7050397870b95f23d310f2e62ee5c2e3a7410d2daeec99e9e06
-
SHA512
b199abfc0abe5f46873ceaccd287e973a6285d40caeb9320f126bfdc081f4bbd8dc706a2a2ca74a305fd5666772db877cb6bc1ea35448585941b1f191405779e
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
8d97ea0aeb6dbb5bfe61a2a45809dd90.exepid process 972 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 984 568 WerFault.exe 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 984 WerFault.exe 984 WerFault.exe 984 WerFault.exe 984 WerFault.exe 984 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 984 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 984 WerFault.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
8d97ea0aeb6dbb5bfe61a2a45809dd90.exe8d97ea0aeb6dbb5bfe61a2a45809dd90.exedescription pid process target process PID 972 wrote to memory of 568 972 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe PID 972 wrote to memory of 568 972 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe PID 972 wrote to memory of 568 972 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe PID 972 wrote to memory of 568 972 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe PID 972 wrote to memory of 568 972 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe PID 972 wrote to memory of 568 972 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe PID 972 wrote to memory of 568 972 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe PID 972 wrote to memory of 568 972 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe PID 972 wrote to memory of 568 972 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe PID 972 wrote to memory of 568 972 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe PID 972 wrote to memory of 568 972 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe PID 972 wrote to memory of 568 972 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe PID 972 wrote to memory of 568 972 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe PID 972 wrote to memory of 568 972 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe PID 568 wrote to memory of 984 568 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe WerFault.exe PID 568 wrote to memory of 984 568 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe WerFault.exe PID 568 wrote to memory of 984 568 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe WerFault.exe PID 568 wrote to memory of 984 568 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d97ea0aeb6dbb5bfe61a2a45809dd90.exe"C:\Users\Admin\AppData\Local\Temp\8d97ea0aeb6dbb5bfe61a2a45809dd90.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Users\Admin\AppData\Local\Temp\8d97ea0aeb6dbb5bfe61a2a45809dd90.exe"C:\Users\Admin\AppData\Local\Temp\8d97ea0aeb6dbb5bfe61a2a45809dd90.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 568 -s 1483⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:984
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsyC775.tmp\vskgzcgvn.dllMD5
879fe70b7d9b58770c4c5ff43b6af498
SHA1f9fd57ae071014e5ccb32440ee52d2c51166a0c3
SHA256cabc6346c99a2f74c7cac1d4c1f83538cce9b0047c8437e240af03338b73f192
SHA51249a6740fea7f230da9808b46b6f2f896c05894b4dad923cbdd1fec0859e4bd4afc2fddca4655b7d2e3553e5e36605f73db2b64fde9a509a4fcf957eec87d3773
-
memory/568-56-0x0000000000000000-mapping.dmp
-
memory/568-57-0x00000000001C0000-0x00000000001DB000-memory.dmpFilesize
108KB
-
memory/568-61-0x00000000001C0000-0x00000000001DB000-memory.dmpFilesize
108KB
-
memory/972-54-0x00000000767F1000-0x00000000767F3000-memory.dmpFilesize
8KB
-
memory/984-66-0x0000000000000000-mapping.dmp
-
memory/984-68-0x00000000005A0000-0x00000000005A1000-memory.dmpFilesize
4KB