9f62de7124f54969d6597d7207380ac3e65cdda4aff4a3ae6f5dbd2af44e0060

Analysis

max time kernel
4294178s
max time network
125s
platform
windows7_x64
resource
win7-20220311-en
submitted
12-03-2022 03:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f62de7124f54969d6597d7207380ac3e65cdda4aff4a3ae6f5dbd2af44e0060.exe
Size

4.7MB
MD5

98b5a2087569e503f690eb4ca40714f4
SHA1

9444c4b8cd43e49cd99010bb108f6be72dd21b67
SHA256

9f62de7124f54969d6597d7207380ac3e65cdda4aff4a3ae6f5dbd2af44e0060
SHA512

f3a4760147e5a2d635144a406dfb06746e9aa6795d923d1a5343e42f26bdd719c38144702e9241a7effcd0e513c4f3a8f26b476ffc83d8ac456bdf6a1ab8b870

Score

8^/10

vmprotect

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Crack.exenote866.exe

pid process

1892 Crack.exe
1876 note866.exe

pid	process
1892	Crack.exe
1876	note866.exe

VMProtect packed file 10 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\RarSFX0\note866.exe	vmprotect
\Users\Admin\AppData\Local\Temp\RarSFX0\note866.exe	vmprotect
\Users\Admin\AppData\Local\Temp\RarSFX0\note866.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\RarSFX0\note866.exe	vmprotect
\Users\Admin\AppData\Local\Temp\RarSFX0\note866.exe	vmprotect
behavioral1/memory/1876-66-0x0000000000400000-0x0000000000664000-memory.dmp	vmprotect
\Users\Admin\AppData\Local\Temp\RarSFX0\note866.exe	vmprotect
\Users\Admin\AppData\Local\Temp\RarSFX0\note866.exe	vmprotect
\Users\Admin\AppData\Local\Temp\RarSFX0\note866.exe	vmprotect
\Users\Admin\AppData\Local\Temp\RarSFX0\note866.exe	vmprotect

Loads dropped DLL 11 IoCs

Processes:

9f62de7124f54969d6597d7207380ac3e65cdda4aff4a3ae6f5dbd2af44e0060.exeWerFault.exe

pid	process
1040	9f62de7124f54969d6597d7207380ac3e65cdda4aff4a3ae6f5dbd2af44e0060.exe
1040	9f62de7124f54969d6597d7207380ac3e65cdda4aff4a3ae6f5dbd2af44e0060.exe
1040	9f62de7124f54969d6597d7207380ac3e65cdda4aff4a3ae6f5dbd2af44e0060.exe
1040	9f62de7124f54969d6597d7207380ac3e65cdda4aff4a3ae6f5dbd2af44e0060.exe
1040	9f62de7124f54969d6597d7207380ac3e65cdda4aff4a3ae6f5dbd2af44e0060.exe
1040	9f62de7124f54969d6597d7207380ac3e65cdda4aff4a3ae6f5dbd2af44e0060.exe
1040	9f62de7124f54969d6597d7207380ac3e65cdda4aff4a3ae6f5dbd2af44e0060.exe
1568	WerFault.exe
1568	WerFault.exe
1568	WerFault.exe
1568	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1568 1876 WerFault.exe note866.exe

pid	pid_target	process	target process
1568	1876	WerFault.exe	note866.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

9f62de7124f54969d6597d7207380ac3e65cdda4aff4a3ae6f5dbd2af44e0060.exenote866.exe

description	pid	process	target process
PID 1040 wrote to memory of 1892	1040	9f62de7124f54969d6597d7207380ac3e65cdda4aff4a3ae6f5dbd2af44e0060.exe	Crack.exe
PID 1040 wrote to memory of 1892	1040	9f62de7124f54969d6597d7207380ac3e65cdda4aff4a3ae6f5dbd2af44e0060.exe	Crack.exe
PID 1040 wrote to memory of 1892	1040	9f62de7124f54969d6597d7207380ac3e65cdda4aff4a3ae6f5dbd2af44e0060.exe	Crack.exe
PID 1040 wrote to memory of 1892	1040	9f62de7124f54969d6597d7207380ac3e65cdda4aff4a3ae6f5dbd2af44e0060.exe	Crack.exe
PID 1040 wrote to memory of 1876	1040	9f62de7124f54969d6597d7207380ac3e65cdda4aff4a3ae6f5dbd2af44e0060.exe	note866.exe
PID 1040 wrote to memory of 1876	1040	9f62de7124f54969d6597d7207380ac3e65cdda4aff4a3ae6f5dbd2af44e0060.exe	note866.exe
PID 1040 wrote to memory of 1876	1040	9f62de7124f54969d6597d7207380ac3e65cdda4aff4a3ae6f5dbd2af44e0060.exe	note866.exe
PID 1040 wrote to memory of 1876	1040	9f62de7124f54969d6597d7207380ac3e65cdda4aff4a3ae6f5dbd2af44e0060.exe	note866.exe
PID 1876 wrote to memory of 1568	1876	note866.exe	WerFault.exe
PID 1876 wrote to memory of 1568	1876	note866.exe	WerFault.exe
PID 1876 wrote to memory of 1568	1876	note866.exe	WerFault.exe
PID 1876 wrote to memory of 1568	1876	note866.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\9f62de7124f54969d6597d7207380ac3e65cdda4aff4a3ae6f5dbd2af44e0060.exe
"C:\Users\Admin\AppData\Local\Temp\9f62de7124f54969d6597d7207380ac3e65cdda4aff4a3ae6f5dbd2af44e0060.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1040

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe"
2⤵
- Executes dropped EXE
PID:1892

C:\Users\Admin\AppData\Local\Temp\RarSFX0\note866.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\note866.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1876 -s 184
3⤵
- Loads dropped DLL
- Program crash
PID:1568

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
MD5
f4eff78cbc2567714cbca4e8efd3d75e

SHA1
6d9406e8a522cab6e5c5e22eab361e2865529c6f

SHA256
63f8d616906a329108594c80ebba48040ed05722b9edb5779499a34502822bd8

SHA512
ad0d062ff5b51daea4a5b2ce4bd2286d255365711a31274c49cc5d184c78e695e45212c1aeefd65276842509bea21f43bf1f6e11e280cf955d5b0c4e82623272

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
MD5
f4eff78cbc2567714cbca4e8efd3d75e

SHA1
6d9406e8a522cab6e5c5e22eab361e2865529c6f

SHA256
63f8d616906a329108594c80ebba48040ed05722b9edb5779499a34502822bd8

SHA512
ad0d062ff5b51daea4a5b2ce4bd2286d255365711a31274c49cc5d184c78e695e45212c1aeefd65276842509bea21f43bf1f6e11e280cf955d5b0c4e82623272

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\note866.exe
MD5
99593e4ab300b7bdb824be41cf4ee970

SHA1
c8f21d6dab55cb0dcf97f1863c7e107594c9f06a

SHA256
a832e13a0672daf30ae1f5e8df6bae3632521c57df5abf96873a8cda5aebc5c2

SHA512
1f6f89094dfc4328dfbb5b1fa943c0608076fcd459ebb10e1010a7b24f10be546c68abdb790b282d3b3bfd5c00eb4d49de55c95a73dc7406ed112285e45521d9

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
MD5
f4eff78cbc2567714cbca4e8efd3d75e

SHA1
6d9406e8a522cab6e5c5e22eab361e2865529c6f

SHA256
63f8d616906a329108594c80ebba48040ed05722b9edb5779499a34502822bd8

SHA512
ad0d062ff5b51daea4a5b2ce4bd2286d255365711a31274c49cc5d184c78e695e45212c1aeefd65276842509bea21f43bf1f6e11e280cf955d5b0c4e82623272

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
MD5
f4eff78cbc2567714cbca4e8efd3d75e

SHA1
6d9406e8a522cab6e5c5e22eab361e2865529c6f

SHA256
63f8d616906a329108594c80ebba48040ed05722b9edb5779499a34502822bd8

SHA512
ad0d062ff5b51daea4a5b2ce4bd2286d255365711a31274c49cc5d184c78e695e45212c1aeefd65276842509bea21f43bf1f6e11e280cf955d5b0c4e82623272

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
MD5
f4eff78cbc2567714cbca4e8efd3d75e

SHA1
6d9406e8a522cab6e5c5e22eab361e2865529c6f

SHA256
63f8d616906a329108594c80ebba48040ed05722b9edb5779499a34502822bd8

SHA512
ad0d062ff5b51daea4a5b2ce4bd2286d255365711a31274c49cc5d184c78e695e45212c1aeefd65276842509bea21f43bf1f6e11e280cf955d5b0c4e82623272

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\note866.exe
MD5
99593e4ab300b7bdb824be41cf4ee970

SHA1
c8f21d6dab55cb0dcf97f1863c7e107594c9f06a

SHA256
a832e13a0672daf30ae1f5e8df6bae3632521c57df5abf96873a8cda5aebc5c2

SHA512
1f6f89094dfc4328dfbb5b1fa943c0608076fcd459ebb10e1010a7b24f10be546c68abdb790b282d3b3bfd5c00eb4d49de55c95a73dc7406ed112285e45521d9

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\note866.exe
MD5
99593e4ab300b7bdb824be41cf4ee970

SHA1
c8f21d6dab55cb0dcf97f1863c7e107594c9f06a

SHA256
a832e13a0672daf30ae1f5e8df6bae3632521c57df5abf96873a8cda5aebc5c2

SHA512
1f6f89094dfc4328dfbb5b1fa943c0608076fcd459ebb10e1010a7b24f10be546c68abdb790b282d3b3bfd5c00eb4d49de55c95a73dc7406ed112285e45521d9

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\note866.exe
MD5
99593e4ab300b7bdb824be41cf4ee970

SHA1
c8f21d6dab55cb0dcf97f1863c7e107594c9f06a

SHA256
a832e13a0672daf30ae1f5e8df6bae3632521c57df5abf96873a8cda5aebc5c2

SHA512
1f6f89094dfc4328dfbb5b1fa943c0608076fcd459ebb10e1010a7b24f10be546c68abdb790b282d3b3bfd5c00eb4d49de55c95a73dc7406ed112285e45521d9

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\note866.exe
MD5
99593e4ab300b7bdb824be41cf4ee970

SHA1
c8f21d6dab55cb0dcf97f1863c7e107594c9f06a

SHA256
a832e13a0672daf30ae1f5e8df6bae3632521c57df5abf96873a8cda5aebc5c2

SHA512
1f6f89094dfc4328dfbb5b1fa943c0608076fcd459ebb10e1010a7b24f10be546c68abdb790b282d3b3bfd5c00eb4d49de55c95a73dc7406ed112285e45521d9

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\note866.exe
MD5
99593e4ab300b7bdb824be41cf4ee970

SHA1
c8f21d6dab55cb0dcf97f1863c7e107594c9f06a

SHA256
a832e13a0672daf30ae1f5e8df6bae3632521c57df5abf96873a8cda5aebc5c2

SHA512
1f6f89094dfc4328dfbb5b1fa943c0608076fcd459ebb10e1010a7b24f10be546c68abdb790b282d3b3bfd5c00eb4d49de55c95a73dc7406ed112285e45521d9

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\note866.exe
MD5
99593e4ab300b7bdb824be41cf4ee970

SHA1
c8f21d6dab55cb0dcf97f1863c7e107594c9f06a

SHA256
a832e13a0672daf30ae1f5e8df6bae3632521c57df5abf96873a8cda5aebc5c2

SHA512
1f6f89094dfc4328dfbb5b1fa943c0608076fcd459ebb10e1010a7b24f10be546c68abdb790b282d3b3bfd5c00eb4d49de55c95a73dc7406ed112285e45521d9

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\note866.exe
MD5
99593e4ab300b7bdb824be41cf4ee970

SHA1
c8f21d6dab55cb0dcf97f1863c7e107594c9f06a

SHA256
a832e13a0672daf30ae1f5e8df6bae3632521c57df5abf96873a8cda5aebc5c2

SHA512
1f6f89094dfc4328dfbb5b1fa943c0608076fcd459ebb10e1010a7b24f10be546c68abdb790b282d3b3bfd5c00eb4d49de55c95a73dc7406ed112285e45521d9

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\note866.exe
MD5
99593e4ab300b7bdb824be41cf4ee970

SHA1
c8f21d6dab55cb0dcf97f1863c7e107594c9f06a

SHA256
a832e13a0672daf30ae1f5e8df6bae3632521c57df5abf96873a8cda5aebc5c2

SHA512
1f6f89094dfc4328dfbb5b1fa943c0608076fcd459ebb10e1010a7b24f10be546c68abdb790b282d3b3bfd5c00eb4d49de55c95a73dc7406ed112285e45521d9

Download Submit
memory/1040-54-0x0000000075E61000-0x0000000075E63000-memory.dmp

Filesize
8KB

Download
memory/1876-66-0x0000000000400000-0x0000000000664000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads