Analysis
-
max time kernel
146s -
max time network
130s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
05-02-2022 06:17
Static task
static1
Behavioral task
behavioral1
Sample
DOC40218.exe
Resource
win7-en-20211208
General
-
Target
DOC40218.exe
-
Size
409KB
-
MD5
f0d6685e51ab75d3585212478055cb22
-
SHA1
11cc87018e7dd4620e7b824012f40cac0a1f367d
-
SHA256
caaa240601d0e42acb112b2c61f1f71cb12348f77259c8c98cece75735dfc1e0
-
SHA512
3b19cae94fd6baa2c18069b01e3386db1f13ab848fcce0f9673b246b5f5fb5bad414c27b835bf6f478937fc8afa23d77b7beea4f299badb9434f585792b168a5
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
DOC40218.exepid process 1284 DOC40218.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1248 1284 WerFault.exe DOC40218.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 1248 WerFault.exe 1248 WerFault.exe 1248 WerFault.exe 1248 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1248 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1248 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
DOC40218.exedescription pid process target process PID 1284 wrote to memory of 1248 1284 DOC40218.exe WerFault.exe PID 1284 wrote to memory of 1248 1284 DOC40218.exe WerFault.exe PID 1284 wrote to memory of 1248 1284 DOC40218.exe WerFault.exe PID 1284 wrote to memory of 1248 1284 DOC40218.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DOC40218.exe"C:\Users\Admin\AppData\Local\Temp\DOC40218.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 4522⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsq4902.tmp\levdewf.dllMD5
9d4f6159a6c49b5d2d54f84eeb769ff8
SHA188b65ace14508b82c914079755378a9fbd82a23c
SHA2564d7358217d5850eec523f311eff7fcc89c0e027c77c308a3316603ee7e28499f
SHA5124ea7395a6a8af4de63cc125ffef5f7ec718ad6e6149775107a078fb929386440a5f94bc711e0663767f04a7a92406d69b8b3406a4636e5cf7961d1600814a7ea
-
memory/1248-57-0x00000000003B0000-0x00000000003B1000-memory.dmpFilesize
4KB
-
memory/1284-54-0x00000000756C1000-0x00000000756C3000-memory.dmpFilesize
8KB