b3273dbf7bad4f225c15fbd7728ee709d8ccb1d2e57a3a9942dbc758d2b97c0f

Analysis

max time kernel
130s
max time network
120s
platform
windows7_x64
resource
win7-en-20211208
submitted
01-02-2022 11:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Order-807190402-pdf.exe
Size

246KB
MD5

68c5e001f8dae53bce2daf4d5480302a
SHA1

697411019d83f22261b31723f994970c33dc1a20
SHA256

b3273dbf7bad4f225c15fbd7728ee709d8ccb1d2e57a3a9942dbc758d2b97c0f
SHA512

155ff406482ff0273b4eb5a18dfc63e36e9ebb4488224acb3b226a3d042d3266ee71c87784776df8059f69bd32cb98b34a79332bb048ecd5f9f43a4f3591745c

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

Order-807190402-pdf.exe

pid process

1548 Order-807190402-pdf.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1696 1548 WerFault.exe Order-807190402-pdf.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

WerFault.exe

pid process

1696 WerFault.exe
1696 WerFault.exe
1696 WerFault.exe
1696 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

1696 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1696 WerFault.exe

pid	process
1548	Order-807190402-pdf.exe

pid	pid_target	process	target process
1696	1548	WerFault.exe	Order-807190402-pdf.exe

pid	process
1696	WerFault.exe
1696	WerFault.exe
1696	WerFault.exe
1696	WerFault.exe

pid	process
1696	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1696	WerFault.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

Order-807190402-pdf.exe

description	pid	process	target process
PID 1548 wrote to memory of 1696	1548	Order-807190402-pdf.exe	WerFault.exe
PID 1548 wrote to memory of 1696	1548	Order-807190402-pdf.exe	WerFault.exe
PID 1548 wrote to memory of 1696	1548	Order-807190402-pdf.exe	WerFault.exe
PID 1548 wrote to memory of 1696	1548	Order-807190402-pdf.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Order-807190402-pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Order-807190402-pdf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 492
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1696

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsd1A27.tmp\pwzcmvmisy.dll
MD5
0379ef9a1abb13b61faddc0ad714ddb7

SHA1
683218b30872825774fcbca3b0f0b3d1f4dfce43

SHA256
de69cf6903ef67081ae40034f5b5c571c2df2fc97606f59259dc6129fcf20c33

SHA512
d5cfd10f449f5311e575e26c6094cb82d48d04bad4bad45beab67b7bd70d91b00bd5e1a053aca0346c9bfde790e7ca712810c3786c8f37498bf245a24c9a4b9d

Download Submit
memory/1548-54-0x0000000076451000-0x0000000076453000-memory.dmp

Filesize
8KB

Download
memory/1696-57-0x0000000000410000-0x0000000001CE7000-memory.dmp

Filesize
24.8MB

Download