Analysis
-
max time kernel
153s -
max time network
24s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
05-02-2022 12:57
Static task
static1
Behavioral task
behavioral1
Sample
8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe
Resource
win10v2004-en-20220112
General
-
Target
8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe
-
Size
964KB
-
MD5
9cf33a9d11e1a0eddb2481e862487bb2
-
SHA1
4db6d3e61cd201bf855a1e50300d01496a231de7
-
SHA256
8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595
-
SHA512
14e741a79d2dc7812250d753d3567f3623c2eb20466ac6c370911125ce62b302da3c75331bf4da39f2166ec5a4205185ea08a2e8e47cf732eac90569c75570ec
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
chrome.exepid process 1756 chrome.exe -
Drops startup file 5 IoCs
Processes:
cmd.execmd.execmd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe cmd.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe\:Zone.Identifier:$DATA cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe:Zone.Identifier cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe:Zone.Identifier cmd.exe -
Loads dropped DLL 6 IoCs
Processes:
cmd.exeWerFault.exepid process 1820 cmd.exe 992 WerFault.exe 992 WerFault.exe 992 WerFault.exe 992 WerFault.exe 992 WerFault.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
chrome.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\chrome = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\chrome.exe -boot" chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 992 1756 WerFault.exe chrome.exe -
NTFS ADS 2 IoCs
Processes:
cmd.execmd.exedescription ioc process File created C:\Users\Admin\AppData\Local\Temp\8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe:Zone.Identifier cmd.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe:Zone.Identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 992 WerFault.exe 992 WerFault.exe 992 WerFault.exe 992 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exechrome.exeWerFault.exedescription pid process Token: SeDebugPrivilege 816 8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe Token: SeDebugPrivilege 1756 chrome.exe Token: SeDebugPrivilege 992 WerFault.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.execmd.exechrome.exedescription pid process target process PID 816 wrote to memory of 1636 816 8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe cmd.exe PID 816 wrote to memory of 1636 816 8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe cmd.exe PID 816 wrote to memory of 1636 816 8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe cmd.exe PID 816 wrote to memory of 1636 816 8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe cmd.exe PID 816 wrote to memory of 964 816 8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe cmd.exe PID 816 wrote to memory of 964 816 8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe cmd.exe PID 816 wrote to memory of 964 816 8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe cmd.exe PID 816 wrote to memory of 964 816 8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe cmd.exe PID 816 wrote to memory of 1120 816 8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe cmd.exe PID 816 wrote to memory of 1120 816 8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe cmd.exe PID 816 wrote to memory of 1120 816 8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe cmd.exe PID 816 wrote to memory of 1120 816 8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe cmd.exe PID 816 wrote to memory of 1820 816 8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe cmd.exe PID 816 wrote to memory of 1820 816 8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe cmd.exe PID 816 wrote to memory of 1820 816 8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe cmd.exe PID 816 wrote to memory of 1820 816 8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe cmd.exe PID 1820 wrote to memory of 1756 1820 cmd.exe chrome.exe PID 1820 wrote to memory of 1756 1820 cmd.exe chrome.exe PID 1820 wrote to memory of 1756 1820 cmd.exe chrome.exe PID 1820 wrote to memory of 1756 1820 cmd.exe chrome.exe PID 1756 wrote to memory of 1080 1756 chrome.exe cmd.exe PID 1756 wrote to memory of 1080 1756 chrome.exe cmd.exe PID 1756 wrote to memory of 1080 1756 chrome.exe cmd.exe PID 1756 wrote to memory of 1080 1756 chrome.exe cmd.exe PID 1756 wrote to memory of 1160 1756 chrome.exe cmd.exe PID 1756 wrote to memory of 1160 1756 chrome.exe cmd.exe PID 1756 wrote to memory of 1160 1756 chrome.exe cmd.exe PID 1756 wrote to memory of 1160 1756 chrome.exe cmd.exe PID 1756 wrote to memory of 992 1756 chrome.exe WerFault.exe PID 1756 wrote to memory of 992 1756 chrome.exe WerFault.exe PID 1756 wrote to memory of 992 1756 chrome.exe WerFault.exe PID 1756 wrote to memory of 992 1756 chrome.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe"C:\Users\Admin\AppData\Local\Temp\8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe:Zone.Identifier"2⤵
- NTFS ADS
PID:1636 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe:Zone.Identifier"2⤵
- NTFS ADS
PID:964 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe"2⤵
- Drops startup file
PID:1120 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe:Zone.Identifier"4⤵
- Drops startup file
PID:1080 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe:Zone.Identifier"4⤵
- Drops startup file
PID:1160 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 8884⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:992
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
9cf33a9d11e1a0eddb2481e862487bb2
SHA14db6d3e61cd201bf855a1e50300d01496a231de7
SHA2568f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595
SHA51214e741a79d2dc7812250d753d3567f3623c2eb20466ac6c370911125ce62b302da3c75331bf4da39f2166ec5a4205185ea08a2e8e47cf732eac90569c75570ec
-
MD5
9cf33a9d11e1a0eddb2481e862487bb2
SHA14db6d3e61cd201bf855a1e50300d01496a231de7
SHA2568f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595
SHA51214e741a79d2dc7812250d753d3567f3623c2eb20466ac6c370911125ce62b302da3c75331bf4da39f2166ec5a4205185ea08a2e8e47cf732eac90569c75570ec
-
MD5
9cf33a9d11e1a0eddb2481e862487bb2
SHA14db6d3e61cd201bf855a1e50300d01496a231de7
SHA2568f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595
SHA51214e741a79d2dc7812250d753d3567f3623c2eb20466ac6c370911125ce62b302da3c75331bf4da39f2166ec5a4205185ea08a2e8e47cf732eac90569c75570ec
-
MD5
9cf33a9d11e1a0eddb2481e862487bb2
SHA14db6d3e61cd201bf855a1e50300d01496a231de7
SHA2568f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595
SHA51214e741a79d2dc7812250d753d3567f3623c2eb20466ac6c370911125ce62b302da3c75331bf4da39f2166ec5a4205185ea08a2e8e47cf732eac90569c75570ec
-
MD5
9cf33a9d11e1a0eddb2481e862487bb2
SHA14db6d3e61cd201bf855a1e50300d01496a231de7
SHA2568f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595
SHA51214e741a79d2dc7812250d753d3567f3623c2eb20466ac6c370911125ce62b302da3c75331bf4da39f2166ec5a4205185ea08a2e8e47cf732eac90569c75570ec
-
MD5
9cf33a9d11e1a0eddb2481e862487bb2
SHA14db6d3e61cd201bf855a1e50300d01496a231de7
SHA2568f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595
SHA51214e741a79d2dc7812250d753d3567f3623c2eb20466ac6c370911125ce62b302da3c75331bf4da39f2166ec5a4205185ea08a2e8e47cf732eac90569c75570ec
-
MD5
9cf33a9d11e1a0eddb2481e862487bb2
SHA14db6d3e61cd201bf855a1e50300d01496a231de7
SHA2568f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595
SHA51214e741a79d2dc7812250d753d3567f3623c2eb20466ac6c370911125ce62b302da3c75331bf4da39f2166ec5a4205185ea08a2e8e47cf732eac90569c75570ec
-
MD5
9cf33a9d11e1a0eddb2481e862487bb2
SHA14db6d3e61cd201bf855a1e50300d01496a231de7
SHA2568f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595
SHA51214e741a79d2dc7812250d753d3567f3623c2eb20466ac6c370911125ce62b302da3c75331bf4da39f2166ec5a4205185ea08a2e8e47cf732eac90569c75570ec