8b74ea45562754413df652ff7754a4c4ac90782f298a1d4066c9801d799a1138

Analysis

max time kernel
146s
max time network
130s
platform
windows7_x64
resource
win7-en-20211208
submitted
05-02-2022 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DOC40218.exe
Size

409KB
MD5

f0d6685e51ab75d3585212478055cb22
SHA1

11cc87018e7dd4620e7b824012f40cac0a1f367d
SHA256

caaa240601d0e42acb112b2c61f1f71cb12348f77259c8c98cece75735dfc1e0
SHA512

3b19cae94fd6baa2c18069b01e3386db1f13ab848fcce0f9673b246b5f5fb5bad414c27b835bf6f478937fc8afa23d77b7beea4f299badb9434f585792b168a5

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

DOC40218.exe

pid process

1284 DOC40218.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1248 1284 WerFault.exe DOC40218.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

WerFault.exe

pid process

1248 WerFault.exe
1248 WerFault.exe
1248 WerFault.exe
1248 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

1248 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1248 WerFault.exe

pid	process
1284	DOC40218.exe

pid	pid_target	process	target process
1248	1284	WerFault.exe	DOC40218.exe

pid	process
1248	WerFault.exe
1248	WerFault.exe
1248	WerFault.exe
1248	WerFault.exe

pid	process
1248	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1248	WerFault.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

DOC40218.exe

description	pid	process	target process
PID 1284 wrote to memory of 1248	1284	DOC40218.exe	WerFault.exe
PID 1284 wrote to memory of 1248	1284	DOC40218.exe	WerFault.exe
PID 1284 wrote to memory of 1248	1284	DOC40218.exe	WerFault.exe
PID 1284 wrote to memory of 1248	1284	DOC40218.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\DOC40218.exe
"C:\Users\Admin\AppData\Local\Temp\DOC40218.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 452
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1248

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsq4902.tmp\levdewf.dll
MD5
9d4f6159a6c49b5d2d54f84eeb769ff8

SHA1
88b65ace14508b82c914079755378a9fbd82a23c

SHA256
4d7358217d5850eec523f311eff7fcc89c0e027c77c308a3316603ee7e28499f

SHA512
4ea7395a6a8af4de63cc125ffef5f7ec718ad6e6149775107a078fb929386440a5f94bc711e0663767f04a7a92406d69b8b3406a4636e5cf7961d1600814a7ea

Download Submit
memory/1248-57-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/1284-54-0x00000000756C1000-0x00000000756C3000-memory.dmp

Filesize
8KB

Download