Overview
overview
10Static
static
107zS850A099...ed.exe
windows7_x64
107zS850A099...ed.exe
windows10-2004_x64
107zS850A099...1a.exe
windows7_x64
107zS850A099...1a.exe
windows10-2004_x64
17zS850A099...b7.exe
windows7_x64
107zS850A099...b7.exe
windows10-2004_x64
107zS850A099...5e.exe
windows7_x64
107zS850A099...5e.exe
windows10-2004_x64
107zS850A099...a0.exe
windows7_x64
107zS850A099...a0.exe
windows10-2004_x64
107zS850A099...95.exe
windows7_x64
77zS850A099...95.exe
windows10-2004_x64
77zS850A099...cb.exe
windows7_x64
107zS850A099...cb.exe
windows10-2004_x64
17zS850A099...58.exe
windows7_x64
77zS850A099...58.exe
windows10-2004_x64
17zS850A099...7f.exe
windows7_x64
77zS850A099...7f.exe
windows10-2004_x64
17zS850A099...32.exe
windows7_x64
77zS850A099...32.exe
windows10-2004_x64
77zS850A099...c3.exe
windows7_x64
87zS850A099...c3.exe
windows10-2004_x64
87zS850A099...e9.exe
windows7_x64
67zS850A099...e9.exe
windows10-2004_x64
67zS850A099...8c.exe
windows7_x64
87zS850A099...8c.exe
windows10-2004_x64
17zS850A099...8c.exe
windows7_x64
107zS850A099...8c.exe
windows10-2004_x64
107zS850A099...ll.exe
windows7_x64
107zS850A099...ll.exe
windows10-2004_x64
1Analysis
-
max time kernel
129s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
19-01-2022 08:10
Behavioral task
behavioral1
Sample
7zS850A099E/61e74fd2175cb_Tue23956aa60ed.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
7zS850A099E/61e74fd2175cb_Tue23956aa60ed.exe
Resource
win10v2004-en-20220113
Behavioral task
behavioral3
Sample
7zS850A099E/61e74fd3252fe_Tue23df2ad021a.exe
Resource
win7-en-20211208
Behavioral task
behavioral4
Sample
7zS850A099E/61e74fd3252fe_Tue23df2ad021a.exe
Resource
win10v2004-en-20220113
Behavioral task
behavioral5
Sample
7zS850A099E/61e74fd41f841_Tue2365aa82b7.exe
Resource
win7-en-20211208
Behavioral task
behavioral6
Sample
7zS850A099E/61e74fd41f841_Tue2365aa82b7.exe
Resource
win10v2004-en-20220112
Behavioral task
behavioral7
Sample
7zS850A099E/61e74fd53f766_Tue23ec97445e.exe
Resource
win7-en-20211208
Behavioral task
behavioral8
Sample
7zS850A099E/61e74fd53f766_Tue23ec97445e.exe
Resource
win10v2004-en-20220112
Behavioral task
behavioral9
Sample
7zS850A099E/61e74fd78769f_Tue234b6c24d9a0.exe
Resource
win7-en-20211208
Behavioral task
behavioral10
Sample
7zS850A099E/61e74fd78769f_Tue234b6c24d9a0.exe
Resource
win10v2004-en-20220112
Behavioral task
behavioral11
Sample
7zS850A099E/61e74fd8ef830_Tue23593425095.exe
Resource
win7-en-20211208
Behavioral task
behavioral12
Sample
7zS850A099E/61e74fd8ef830_Tue23593425095.exe
Resource
win10v2004-en-20220113
Behavioral task
behavioral13
Sample
7zS850A099E/61e74fda51500_Tue23260baecb.exe
Resource
win7-en-20211208
Behavioral task
behavioral14
Sample
7zS850A099E/61e74fda51500_Tue23260baecb.exe
Resource
win10v2004-en-20220113
Behavioral task
behavioral15
Sample
7zS850A099E/61e7501ab629f_Tue23c4645058.exe
Resource
win7-en-20211208
Behavioral task
behavioral16
Sample
7zS850A099E/61e7501ab629f_Tue23c4645058.exe
Resource
win10v2004-en-20220113
Behavioral task
behavioral17
Sample
7zS850A099E/61e7501b7eabe_Tue2344597f.exe
Resource
win7-en-20211208
Behavioral task
behavioral18
Sample
7zS850A099E/61e7501b7eabe_Tue2344597f.exe
Resource
win10v2004-en-20220113
Behavioral task
behavioral19
Sample
7zS850A099E/61e7501c830d6_Tue23bdf4712a32.exe
Resource
win7-en-20211208
Behavioral task
behavioral20
Sample
7zS850A099E/61e7501c830d6_Tue23bdf4712a32.exe
Resource
win10v2004-en-20220112
Behavioral task
behavioral21
Sample
7zS850A099E/61e7501db65f3_Tue23c7b395c3.exe
Resource
win7-en-20211208
Behavioral task
behavioral22
Sample
7zS850A099E/61e7501db65f3_Tue23c7b395c3.exe
Resource
win10v2004-en-20220112
Behavioral task
behavioral23
Sample
7zS850A099E/61e7502b8389b_Tue233252e9.exe
Resource
win7-en-20211208
Behavioral task
behavioral24
Sample
7zS850A099E/61e7502b8389b_Tue233252e9.exe
Resource
win10v2004-en-20220112
Behavioral task
behavioral25
Sample
7zS850A099E/61e7502c4cff3_Tue232cba58c.exe
Resource
win7-en-20211208
Behavioral task
behavioral26
Sample
7zS850A099E/61e7502c4cff3_Tue232cba58c.exe
Resource
win10v2004-en-20220113
Behavioral task
behavioral27
Sample
7zS850A099E/61e7502f007f3_Tue23d6fecf8c.exe
Resource
win7-en-20211208
Behavioral task
behavioral28
Sample
7zS850A099E/61e7502f007f3_Tue23d6fecf8c.exe
Resource
win10v2004-en-20220113
Behavioral task
behavioral29
Sample
7zS850A099E/setup_install.exe
Resource
win7-en-20211208
Behavioral task
behavioral30
Sample
7zS850A099E/setup_install.exe
Resource
win10v2004-en-20220113
General
-
Target
7zS850A099E/61e74fd2175cb_Tue23956aa60ed.exe
-
Size
312KB
-
MD5
e5a07be6c167ccf605ba9e6a0608e141
-
SHA1
d50547756f224ebaf38efc1b2e5134b6caa272ba
-
SHA256
449fb91c32af2d722f418ab4ee0747d0b7457ba69496b2d8f894e6045d69e1e4
-
SHA512
b66a844121bd42707aab3200f5e2a01765bd00ea3b958e09baeca9cd6856005a17474e72a9635184046d92205be3baf6677951fd8eb42ccebe687efb8b30f13b
Malware Config
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exerundll32.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2780 2252 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1284 2252 rundll32.exe -
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
Processes:
WerFault.exeWerFault.exedescription pid process target process PID 1912 created 1696 1912 WerFault.exe rundll32.exe PID 2128 created 1932 2128 WerFault.exe rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
61e74fd2175cb_Tue23956aa60ed.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 61e74fd2175cb_Tue23956aa60ed.exe -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exerundll32.exepid process 1696 rundll32.exe 1932 rundll32.exe -
Drops file in Windows directory 1 IoCs
Processes:
WerFault.exedescription ioc process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 1172 1696 WerFault.exe rundll32.exe 432 1932 WerFault.exe rundll32.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exeWerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
WerFault.exeWerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 25 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 24 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exeWerFault.exepid process 432 WerFault.exe 432 WerFault.exe 1172 WerFault.exe 1172 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
WerFault.exeWerFault.exedescription pid process Token: SeRestorePrivilege 432 WerFault.exe Token: SeBackupPrivilege 432 WerFault.exe Token: SeRestorePrivilege 1172 WerFault.exe Token: SeBackupPrivilege 1172 WerFault.exe Token: SeBackupPrivilege 1172 WerFault.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
61e74fd2175cb_Tue23956aa60ed.exe61e74fd2175cb_Tue23956aa60ed.exe61e74fd2175cb_Tue23956aa60ed.exepid process 1856 61e74fd2175cb_Tue23956aa60ed.exe 1856 61e74fd2175cb_Tue23956aa60ed.exe 1436 61e74fd2175cb_Tue23956aa60ed.exe 2752 61e74fd2175cb_Tue23956aa60ed.exe 1436 61e74fd2175cb_Tue23956aa60ed.exe 2752 61e74fd2175cb_Tue23956aa60ed.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
61e74fd2175cb_Tue23956aa60ed.exerundll32.exerundll32.exeWerFault.exeWerFault.exedescription pid process target process PID 1856 wrote to memory of 2752 1856 61e74fd2175cb_Tue23956aa60ed.exe 61e74fd2175cb_Tue23956aa60ed.exe PID 1856 wrote to memory of 2752 1856 61e74fd2175cb_Tue23956aa60ed.exe 61e74fd2175cb_Tue23956aa60ed.exe PID 1856 wrote to memory of 2752 1856 61e74fd2175cb_Tue23956aa60ed.exe 61e74fd2175cb_Tue23956aa60ed.exe PID 1856 wrote to memory of 1436 1856 61e74fd2175cb_Tue23956aa60ed.exe 61e74fd2175cb_Tue23956aa60ed.exe PID 1856 wrote to memory of 1436 1856 61e74fd2175cb_Tue23956aa60ed.exe 61e74fd2175cb_Tue23956aa60ed.exe PID 1856 wrote to memory of 1436 1856 61e74fd2175cb_Tue23956aa60ed.exe 61e74fd2175cb_Tue23956aa60ed.exe PID 1284 wrote to memory of 1932 1284 rundll32.exe rundll32.exe PID 1284 wrote to memory of 1932 1284 rundll32.exe rundll32.exe PID 1284 wrote to memory of 1932 1284 rundll32.exe rundll32.exe PID 2780 wrote to memory of 1696 2780 rundll32.exe rundll32.exe PID 2780 wrote to memory of 1696 2780 rundll32.exe rundll32.exe PID 2780 wrote to memory of 1696 2780 rundll32.exe rundll32.exe PID 1912 wrote to memory of 1696 1912 WerFault.exe rundll32.exe PID 1912 wrote to memory of 1696 1912 WerFault.exe rundll32.exe PID 2128 wrote to memory of 1932 2128 WerFault.exe rundll32.exe PID 2128 wrote to memory of 1932 2128 WerFault.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe" -a2⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe" -a2⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 6043⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 5563⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1932 -ip 19321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1696 -ip 16961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\db.datMD5
4d0511c6b3fced567deda83f81c485fc
SHA1a76a47f933f27e65fa3b6568c37a15b0dbc01b24
SHA25627f01767425e7e0c2b00e364197be6efce57a0a9d14915fed5b18c74b4ed4f4a
SHA512f5c778c316a9df4c42866cacad962682cd7db99b97e003841865003c162570eabcf88d922e16d1e9fdad0d40702c34c87c3a7e940f297711823063126de1e28b
-
C:\Users\Admin\AppData\Local\Temp\db.datMD5
4d0511c6b3fced567deda83f81c485fc
SHA1a76a47f933f27e65fa3b6568c37a15b0dbc01b24
SHA25627f01767425e7e0c2b00e364197be6efce57a0a9d14915fed5b18c74b4ed4f4a
SHA512f5c778c316a9df4c42866cacad962682cd7db99b97e003841865003c162570eabcf88d922e16d1e9fdad0d40702c34c87c3a7e940f297711823063126de1e28b
-
C:\Users\Admin\AppData\Local\Temp\db.dllMD5
128d6b829a7c440c0f414266ecbf3010
SHA12bb5205fb52b9fa37efd036386c24386216209d1
SHA25685e51fec549731fc82e66525c85a14088f82eb08505a6282ec2dc848fa3c56c7
SHA512c1e0f0708d9428ce206eaf4abe9c3567d678d7c1da38397f93194bb144d3f7fa2ddfe502e73f9b03a9aaf8d95bab7ba7de4459f5d18a214a63f52cb63afce686
-
C:\Users\Admin\AppData\Local\Temp\db.dllMD5
128d6b829a7c440c0f414266ecbf3010
SHA12bb5205fb52b9fa37efd036386c24386216209d1
SHA25685e51fec549731fc82e66525c85a14088f82eb08505a6282ec2dc848fa3c56c7
SHA512c1e0f0708d9428ce206eaf4abe9c3567d678d7c1da38397f93194bb144d3f7fa2ddfe502e73f9b03a9aaf8d95bab7ba7de4459f5d18a214a63f52cb63afce686
-
C:\Users\Admin\AppData\Local\Temp\db.dllMD5
128d6b829a7c440c0f414266ecbf3010
SHA12bb5205fb52b9fa37efd036386c24386216209d1
SHA25685e51fec549731fc82e66525c85a14088f82eb08505a6282ec2dc848fa3c56c7
SHA512c1e0f0708d9428ce206eaf4abe9c3567d678d7c1da38397f93194bb144d3f7fa2ddfe502e73f9b03a9aaf8d95bab7ba7de4459f5d18a214a63f52cb63afce686
-
C:\Users\Admin\AppData\Local\Temp\db.dllMD5
128d6b829a7c440c0f414266ecbf3010
SHA12bb5205fb52b9fa37efd036386c24386216209d1
SHA25685e51fec549731fc82e66525c85a14088f82eb08505a6282ec2dc848fa3c56c7
SHA512c1e0f0708d9428ce206eaf4abe9c3567d678d7c1da38397f93194bb144d3f7fa2ddfe502e73f9b03a9aaf8d95bab7ba7de4459f5d18a214a63f52cb63afce686