Analysis
-
max time kernel
130s -
max time network
120s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
01-02-2022 11:00
Static task
static1
Behavioral task
behavioral1
Sample
Order-807190402-pdf.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
Order-807190402-pdf.exe
Resource
win10v2004-en-20220112
General
-
Target
Order-807190402-pdf.exe
-
Size
246KB
-
MD5
68c5e001f8dae53bce2daf4d5480302a
-
SHA1
697411019d83f22261b31723f994970c33dc1a20
-
SHA256
b3273dbf7bad4f225c15fbd7728ee709d8ccb1d2e57a3a9942dbc758d2b97c0f
-
SHA512
155ff406482ff0273b4eb5a18dfc63e36e9ebb4488224acb3b226a3d042d3266ee71c87784776df8059f69bd32cb98b34a79332bb048ecd5f9f43a4f3591745c
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
Order-807190402-pdf.exepid process 1548 Order-807190402-pdf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1696 1548 WerFault.exe Order-807190402-pdf.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 1696 WerFault.exe 1696 WerFault.exe 1696 WerFault.exe 1696 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1696 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1696 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
Order-807190402-pdf.exedescription pid process target process PID 1548 wrote to memory of 1696 1548 Order-807190402-pdf.exe WerFault.exe PID 1548 wrote to memory of 1696 1548 Order-807190402-pdf.exe WerFault.exe PID 1548 wrote to memory of 1696 1548 Order-807190402-pdf.exe WerFault.exe PID 1548 wrote to memory of 1696 1548 Order-807190402-pdf.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Order-807190402-pdf.exe"C:\Users\Admin\AppData\Local\Temp\Order-807190402-pdf.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 4922⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsd1A27.tmp\pwzcmvmisy.dllMD5
0379ef9a1abb13b61faddc0ad714ddb7
SHA1683218b30872825774fcbca3b0f0b3d1f4dfce43
SHA256de69cf6903ef67081ae40034f5b5c571c2df2fc97606f59259dc6129fcf20c33
SHA512d5cfd10f449f5311e575e26c6094cb82d48d04bad4bad45beab67b7bd70d91b00bd5e1a053aca0346c9bfde790e7ca712810c3786c8f37498bf245a24c9a4b9d
-
memory/1548-54-0x0000000076451000-0x0000000076453000-memory.dmpFilesize
8KB
-
memory/1696-57-0x0000000000410000-0x0000000001CE7000-memory.dmpFilesize
24.8MB