ad936971ede3174ed348896de0084fe8faa5ae7afa4315cf6c3e4f1420c27861

Analysis

max time kernel
4294179s
max time network
123s
platform
windows7_x64
resource
win7-20220310-en
submitted
11-03-2022 23:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad936971ede3174ed348896de0084fe8faa5ae7afa4315cf6c3e4f1420c27861.exe
Size

4.5MB
MD5

e74c1454dae0adff7ec98bd75918de5b
SHA1

b0400f55f533883b584647c9ab09855fcfe87aa6
SHA256

ad936971ede3174ed348896de0084fe8faa5ae7afa4315cf6c3e4f1420c27861
SHA512

10d3a4ed12e37cc572a70a1b5a697594b380423484c8913a068ef5dba62805dc7ff747a4e1cb8d5f3ca5466edf67955403a7ab9130fe7fd9a14af3ded356741f

Score

8^/10

vmprotect

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

GloryWSetp.exenote866.exe

pid process

1164 GloryWSetp.exe
1984 note866.exe

pid	process
1164	GloryWSetp.exe
1984	note866.exe

VMProtect packed file 10 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\RarSFX0\note866.exe	vmprotect
\Users\Admin\AppData\Local\Temp\RarSFX0\note866.exe	vmprotect
\Users\Admin\AppData\Local\Temp\RarSFX0\note866.exe	vmprotect
\Users\Admin\AppData\Local\Temp\RarSFX0\note866.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\RarSFX0\note866.exe	vmprotect
behavioral1/memory/1984-73-0x0000000000400000-0x0000000000664000-memory.dmp	vmprotect
\Users\Admin\AppData\Local\Temp\RarSFX0\note866.exe	vmprotect
\Users\Admin\AppData\Local\Temp\RarSFX0\note866.exe	vmprotect
\Users\Admin\AppData\Local\Temp\RarSFX0\note866.exe	vmprotect
\Users\Admin\AppData\Local\Temp\RarSFX0\note866.exe	vmprotect

Loads dropped DLL 12 IoCs

Processes:

ad936971ede3174ed348896de0084fe8faa5ae7afa4315cf6c3e4f1420c27861.exeWerFault.exe

pid	process
1824	ad936971ede3174ed348896de0084fe8faa5ae7afa4315cf6c3e4f1420c27861.exe
1824	ad936971ede3174ed348896de0084fe8faa5ae7afa4315cf6c3e4f1420c27861.exe
1824	ad936971ede3174ed348896de0084fe8faa5ae7afa4315cf6c3e4f1420c27861.exe
1824	ad936971ede3174ed348896de0084fe8faa5ae7afa4315cf6c3e4f1420c27861.exe
1824	ad936971ede3174ed348896de0084fe8faa5ae7afa4315cf6c3e4f1420c27861.exe
1824	ad936971ede3174ed348896de0084fe8faa5ae7afa4315cf6c3e4f1420c27861.exe
1824	ad936971ede3174ed348896de0084fe8faa5ae7afa4315cf6c3e4f1420c27861.exe
1824	ad936971ede3174ed348896de0084fe8faa5ae7afa4315cf6c3e4f1420c27861.exe
1840	WerFault.exe
1840	WerFault.exe
1840	WerFault.exe
1840	WerFault.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1840 1984 WerFault.exe note866.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

GloryWSetp.exe

description pid process

Token: SeDebugPrivilege 1164 GloryWSetp.exe

pid	pid_target	process	target process
1840	1984	WerFault.exe	note866.exe

description	pid	process
Token: SeDebugPrivilege	1164	GloryWSetp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

ad936971ede3174ed348896de0084fe8faa5ae7afa4315cf6c3e4f1420c27861.exenote866.exe

description	pid	process	target process
PID 1824 wrote to memory of 1164	1824	ad936971ede3174ed348896de0084fe8faa5ae7afa4315cf6c3e4f1420c27861.exe	GloryWSetp.exe
PID 1824 wrote to memory of 1164	1824	ad936971ede3174ed348896de0084fe8faa5ae7afa4315cf6c3e4f1420c27861.exe	GloryWSetp.exe
PID 1824 wrote to memory of 1164	1824	ad936971ede3174ed348896de0084fe8faa5ae7afa4315cf6c3e4f1420c27861.exe	GloryWSetp.exe
PID 1824 wrote to memory of 1164	1824	ad936971ede3174ed348896de0084fe8faa5ae7afa4315cf6c3e4f1420c27861.exe	GloryWSetp.exe
PID 1824 wrote to memory of 1984	1824	ad936971ede3174ed348896de0084fe8faa5ae7afa4315cf6c3e4f1420c27861.exe	note866.exe
PID 1824 wrote to memory of 1984	1824	ad936971ede3174ed348896de0084fe8faa5ae7afa4315cf6c3e4f1420c27861.exe	note866.exe
PID 1824 wrote to memory of 1984	1824	ad936971ede3174ed348896de0084fe8faa5ae7afa4315cf6c3e4f1420c27861.exe	note866.exe
PID 1824 wrote to memory of 1984	1824	ad936971ede3174ed348896de0084fe8faa5ae7afa4315cf6c3e4f1420c27861.exe	note866.exe
PID 1984 wrote to memory of 1840	1984	note866.exe	WerFault.exe
PID 1984 wrote to memory of 1840	1984	note866.exe	WerFault.exe
PID 1984 wrote to memory of 1840	1984	note866.exe	WerFault.exe
PID 1984 wrote to memory of 1840	1984	note866.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\ad936971ede3174ed348896de0084fe8faa5ae7afa4315cf6c3e4f1420c27861.exe
"C:\Users\Admin\AppData\Local\Temp\ad936971ede3174ed348896de0084fe8faa5ae7afa4315cf6c3e4f1420c27861.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1824

C:\Users\Admin\AppData\Local\Temp\RarSFX0\GloryWSetp.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\GloryWSetp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\Users\Admin\AppData\Local\Temp\RarSFX0\note866.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\note866.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 184
3⤵
- Loads dropped DLL
- Program crash
PID:1840

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\GloryWSetp.exe
MD5
cc199a05baa311170e98d284cb85b54e

SHA1
b8f9fecb7e30210e6f35fca95578bda57a0559d9

SHA256
053c3a7ef2dd48621eb737d528ec313a490ab6c1851c95584b99a3762a49096c

SHA512
57bea83219d71b116cc4476aa30ea850bfa861a3ef1eec6f15a97507dcbbd10be5a9513a8b6096070252a2b83748e5a016db556d91969526dcc5672b736c004f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\GloryWSetp.exe
MD5
cc199a05baa311170e98d284cb85b54e

SHA1
b8f9fecb7e30210e6f35fca95578bda57a0559d9

SHA256
053c3a7ef2dd48621eb737d528ec313a490ab6c1851c95584b99a3762a49096c

SHA512
57bea83219d71b116cc4476aa30ea850bfa861a3ef1eec6f15a97507dcbbd10be5a9513a8b6096070252a2b83748e5a016db556d91969526dcc5672b736c004f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\note866.exe
MD5
99593e4ab300b7bdb824be41cf4ee970

SHA1
c8f21d6dab55cb0dcf97f1863c7e107594c9f06a

SHA256
a832e13a0672daf30ae1f5e8df6bae3632521c57df5abf96873a8cda5aebc5c2

SHA512
1f6f89094dfc4328dfbb5b1fa943c0608076fcd459ebb10e1010a7b24f10be546c68abdb790b282d3b3bfd5c00eb4d49de55c95a73dc7406ed112285e45521d9

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\GloryWSetp.exe
MD5
cc199a05baa311170e98d284cb85b54e

SHA1
b8f9fecb7e30210e6f35fca95578bda57a0559d9

SHA256
053c3a7ef2dd48621eb737d528ec313a490ab6c1851c95584b99a3762a49096c

SHA512
57bea83219d71b116cc4476aa30ea850bfa861a3ef1eec6f15a97507dcbbd10be5a9513a8b6096070252a2b83748e5a016db556d91969526dcc5672b736c004f

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\GloryWSetp.exe
MD5
cc199a05baa311170e98d284cb85b54e

SHA1
b8f9fecb7e30210e6f35fca95578bda57a0559d9

SHA256
053c3a7ef2dd48621eb737d528ec313a490ab6c1851c95584b99a3762a49096c

SHA512
57bea83219d71b116cc4476aa30ea850bfa861a3ef1eec6f15a97507dcbbd10be5a9513a8b6096070252a2b83748e5a016db556d91969526dcc5672b736c004f

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\GloryWSetp.exe
MD5
cc199a05baa311170e98d284cb85b54e

SHA1
b8f9fecb7e30210e6f35fca95578bda57a0559d9

SHA256
053c3a7ef2dd48621eb737d528ec313a490ab6c1851c95584b99a3762a49096c

SHA512
57bea83219d71b116cc4476aa30ea850bfa861a3ef1eec6f15a97507dcbbd10be5a9513a8b6096070252a2b83748e5a016db556d91969526dcc5672b736c004f

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\GloryWSetp.exe
MD5
cc199a05baa311170e98d284cb85b54e

SHA1
b8f9fecb7e30210e6f35fca95578bda57a0559d9

SHA256
053c3a7ef2dd48621eb737d528ec313a490ab6c1851c95584b99a3762a49096c

SHA512
57bea83219d71b116cc4476aa30ea850bfa861a3ef1eec6f15a97507dcbbd10be5a9513a8b6096070252a2b83748e5a016db556d91969526dcc5672b736c004f

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\note866.exe
MD5
99593e4ab300b7bdb824be41cf4ee970

SHA1
c8f21d6dab55cb0dcf97f1863c7e107594c9f06a

SHA256
a832e13a0672daf30ae1f5e8df6bae3632521c57df5abf96873a8cda5aebc5c2

SHA512
1f6f89094dfc4328dfbb5b1fa943c0608076fcd459ebb10e1010a7b24f10be546c68abdb790b282d3b3bfd5c00eb4d49de55c95a73dc7406ed112285e45521d9

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\note866.exe
MD5
99593e4ab300b7bdb824be41cf4ee970

SHA1
c8f21d6dab55cb0dcf97f1863c7e107594c9f06a

SHA256
a832e13a0672daf30ae1f5e8df6bae3632521c57df5abf96873a8cda5aebc5c2

SHA512
1f6f89094dfc4328dfbb5b1fa943c0608076fcd459ebb10e1010a7b24f10be546c68abdb790b282d3b3bfd5c00eb4d49de55c95a73dc7406ed112285e45521d9

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\note866.exe
MD5
99593e4ab300b7bdb824be41cf4ee970

SHA1
c8f21d6dab55cb0dcf97f1863c7e107594c9f06a

SHA256
a832e13a0672daf30ae1f5e8df6bae3632521c57df5abf96873a8cda5aebc5c2

SHA512
1f6f89094dfc4328dfbb5b1fa943c0608076fcd459ebb10e1010a7b24f10be546c68abdb790b282d3b3bfd5c00eb4d49de55c95a73dc7406ed112285e45521d9

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\note866.exe
MD5
99593e4ab300b7bdb824be41cf4ee970

SHA1
c8f21d6dab55cb0dcf97f1863c7e107594c9f06a

SHA256
a832e13a0672daf30ae1f5e8df6bae3632521c57df5abf96873a8cda5aebc5c2

SHA512
1f6f89094dfc4328dfbb5b1fa943c0608076fcd459ebb10e1010a7b24f10be546c68abdb790b282d3b3bfd5c00eb4d49de55c95a73dc7406ed112285e45521d9

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\note866.exe
MD5
99593e4ab300b7bdb824be41cf4ee970

SHA1
c8f21d6dab55cb0dcf97f1863c7e107594c9f06a

SHA256
a832e13a0672daf30ae1f5e8df6bae3632521c57df5abf96873a8cda5aebc5c2

SHA512
1f6f89094dfc4328dfbb5b1fa943c0608076fcd459ebb10e1010a7b24f10be546c68abdb790b282d3b3bfd5c00eb4d49de55c95a73dc7406ed112285e45521d9

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\note866.exe
MD5
99593e4ab300b7bdb824be41cf4ee970

SHA1
c8f21d6dab55cb0dcf97f1863c7e107594c9f06a

SHA256
a832e13a0672daf30ae1f5e8df6bae3632521c57df5abf96873a8cda5aebc5c2

SHA512
1f6f89094dfc4328dfbb5b1fa943c0608076fcd459ebb10e1010a7b24f10be546c68abdb790b282d3b3bfd5c00eb4d49de55c95a73dc7406ed112285e45521d9

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\note866.exe
MD5
99593e4ab300b7bdb824be41cf4ee970

SHA1
c8f21d6dab55cb0dcf97f1863c7e107594c9f06a

SHA256
a832e13a0672daf30ae1f5e8df6bae3632521c57df5abf96873a8cda5aebc5c2

SHA512
1f6f89094dfc4328dfbb5b1fa943c0608076fcd459ebb10e1010a7b24f10be546c68abdb790b282d3b3bfd5c00eb4d49de55c95a73dc7406ed112285e45521d9

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\note866.exe
MD5
99593e4ab300b7bdb824be41cf4ee970

SHA1
c8f21d6dab55cb0dcf97f1863c7e107594c9f06a

SHA256
a832e13a0672daf30ae1f5e8df6bae3632521c57df5abf96873a8cda5aebc5c2

SHA512
1f6f89094dfc4328dfbb5b1fa943c0608076fcd459ebb10e1010a7b24f10be546c68abdb790b282d3b3bfd5c00eb4d49de55c95a73dc7406ed112285e45521d9

Download Submit
memory/1164-65-0x0000000000420000-0x0000000000426000-memory.dmp

Filesize
24KB

Download
memory/1164-66-0x0000000002040000-0x0000000002042000-memory.dmp

Filesize
8KB

Download
memory/1164-64-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1164-63-0x00000000003F0000-0x00000000003F6000-memory.dmp

Filesize
24KB

Download
memory/1164-62-0x0000000000170000-0x00000000001A0000-memory.dmp

Filesize
192KB

Download
memory/1164-61-0x000007FEF4EC0000-0x000007FEF58AC000-memory.dmp

Filesize
9.9MB

Download
memory/1824-54-0x0000000075C31000-0x0000000075C33000-memory.dmp

Filesize
8KB

Download
memory/1984-73-0x0000000000400000-0x0000000000664000-memory.dmp

Filesize
2.4MB

Download