8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736

Analysis

max time kernel
4294182s
max time network
131s
platform
windows7_x64
resource
win7-20220310-en
submitted
12-03-2022 08:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe
Size

670KB
MD5

e57825558128cf42f67346dcf2319e64
SHA1

d3d940ccbdb64aa57261599511a09d507b5dd417
SHA256

8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736
SHA512

e7209f05adde4813627d142808091ecb002ecd581f58d6905e4a4228f48df27ee4f087c8b4ff11d89acf2607a6628519d030a10070d2ea46185170a698dc00a1

Score

9^/10

Malware Config

Signatures

Nirsoft 13 IoCs

resource	yara_rule
behavioral1/files/0x00080000000140f7-59.dat	Nirsoft
behavioral1/files/0x00080000000140f7-61.dat	Nirsoft
behavioral1/files/0x00080000000140f7-60.dat	Nirsoft
behavioral1/files/0x00080000000140f7-63.dat	Nirsoft
behavioral1/files/0x00080000000140f7-64.dat	Nirsoft
behavioral1/files/0x00080000000140f7-65.dat	Nirsoft
behavioral1/files/0x00080000000140f7-66.dat	Nirsoft
behavioral1/files/0x00080000000140f7-68.dat	Nirsoft
behavioral1/files/0x00080000000140f7-70.dat	Nirsoft
behavioral1/files/0x00080000000140f7-69.dat	Nirsoft
behavioral1/files/0x00080000000140f7-72.dat	Nirsoft
behavioral1/files/0x00080000000140f7-73.dat	Nirsoft
behavioral1/files/0x00080000000140f7-74.dat	Nirsoft

Executes dropped EXE 5 IoCs

pid	Process
880	AdvancedRun.exe
1312	AdvancedRun.exe
1776	AdvancedRun.exe
1132	AdvancedRun.exe
620	Wrvqtyoyuopenbullet.exe

Loads dropped DLL 14 IoCs

pid	Process
792	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe
792	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe
880	AdvancedRun.exe
880	AdvancedRun.exe
792	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe
792	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe
1776	AdvancedRun.exe
1776	AdvancedRun.exe
1180	WScript.exe
1772	WerFault.exe
1772	WerFault.exe
1772	WerFault.exe
1772	WerFault.exe
1772	WerFault.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 792 set thread context of 576	792	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
856	576	WerFault.exe	35
1772	620	WerFault.exe	34

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
880	AdvancedRun.exe
880	AdvancedRun.exe
1312	AdvancedRun.exe
1312	AdvancedRun.exe
1776	AdvancedRun.exe
1776	AdvancedRun.exe
1132	AdvancedRun.exe
1132	AdvancedRun.exe
792	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe
792	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	792	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe
Token: SeDebugPrivilege	880	AdvancedRun.exe
Token: SeImpersonatePrivilege	880	AdvancedRun.exe
Token: SeDebugPrivilege	1312	AdvancedRun.exe
Token: SeImpersonatePrivilege	1312	AdvancedRun.exe
Token: SeDebugPrivilege	1776	AdvancedRun.exe
Token: SeImpersonatePrivilege	1776	AdvancedRun.exe
Token: SeDebugPrivilege	1132	AdvancedRun.exe
Token: SeImpersonatePrivilege	1132	AdvancedRun.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 792 wrote to memory of 880	792	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe	29
PID 792 wrote to memory of 880	792	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe	29
PID 792 wrote to memory of 880	792	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe	29
PID 792 wrote to memory of 880	792	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe	29
PID 880 wrote to memory of 1312	880	AdvancedRun.exe	30
PID 880 wrote to memory of 1312	880	AdvancedRun.exe	30
PID 880 wrote to memory of 1312	880	AdvancedRun.exe	30
PID 880 wrote to memory of 1312	880	AdvancedRun.exe	30
PID 792 wrote to memory of 1776	792	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe	31
PID 792 wrote to memory of 1776	792	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe	31
PID 792 wrote to memory of 1776	792	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe	31
PID 792 wrote to memory of 1776	792	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe	31
PID 1776 wrote to memory of 1132	1776	AdvancedRun.exe	32
PID 1776 wrote to memory of 1132	1776	AdvancedRun.exe	32
PID 1776 wrote to memory of 1132	1776	AdvancedRun.exe	32
PID 1776 wrote to memory of 1132	1776	AdvancedRun.exe	32
PID 792 wrote to memory of 1180	792	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe	33
PID 792 wrote to memory of 1180	792	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe	33
PID 792 wrote to memory of 1180	792	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe	33
PID 792 wrote to memory of 1180	792	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe	33
PID 1180 wrote to memory of 620	1180	WScript.exe	34
PID 1180 wrote to memory of 620	1180	WScript.exe	34
PID 1180 wrote to memory of 620	1180	WScript.exe	34
PID 1180 wrote to memory of 620	1180	WScript.exe	34
PID 792 wrote to memory of 576	792	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe	35
PID 792 wrote to memory of 576	792	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe	35
PID 792 wrote to memory of 576	792	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe	35
PID 792 wrote to memory of 576	792	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe	35
PID 792 wrote to memory of 576	792	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe	35
PID 792 wrote to memory of 576	792	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe	35
PID 792 wrote to memory of 576	792	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe	35
PID 792 wrote to memory of 576	792	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe	35
PID 792 wrote to memory of 576	792	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe	35
PID 792 wrote to memory of 576	792	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe	35
PID 792 wrote to memory of 576	792	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe	35
PID 576 wrote to memory of 856	576	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe	36
PID 576 wrote to memory of 856	576	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe	36
PID 576 wrote to memory of 856	576	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe	36
PID 576 wrote to memory of 856	576	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe	36
PID 620 wrote to memory of 1772	620	Wrvqtyoyuopenbullet.exe	37
PID 620 wrote to memory of 1772	620	Wrvqtyoyuopenbullet.exe	37
PID 620 wrote to memory of 1772	620	Wrvqtyoyuopenbullet.exe	37
PID 620 wrote to memory of 1772	620	Wrvqtyoyuopenbullet.exe	37

C:\Users\Admin\AppData\Local\Temp\8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe
"C:\Users\Admin\AppData\Local\Temp\8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:792
- C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
  "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:880
- - C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 880
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1312
- C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
  "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1776
- - C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 1776
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1132
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Sqsxfhynivxwpl.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1180
- - C:\Users\Admin\AppData\Local\Temp\Wrvqtyoyuopenbullet.exe
    "C:\Users\Admin\AppData\Local\Temp\Wrvqtyoyuopenbullet.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:620
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 620 -s 652
      4⤵
      Loads dropped DLL
      Program crash
      PID:1772
- C:\Users\Admin\AppData\Local\Temp\8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe
  C:\Users\Admin\AppData\Local\Temp\8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:576
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 36
    3⤵
    - Program crash
    PID:856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/576-95-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/576-91-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/576-93-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/576-83-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/576-85-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/576-87-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/576-89-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/620-81-0x0000000000F50000-0x0000000001078000-memory.dmp

Filesize
1.2MB

Download
memory/620-82-0x0000000074CA0000-0x000000007538E000-memory.dmp

Filesize
6.9MB

Download
memory/620-96-0x00000000044F0000-0x00000000044F1000-memory.dmp

Filesize
4KB

Download
memory/792-54-0x0000000074CA0000-0x000000007538E000-memory.dmp

Filesize
6.9MB

Download
memory/792-57-0x00000000001E0000-0x00000000001E8000-memory.dmp

Filesize
32KB

Download
memory/792-56-0x0000000004630000-0x0000000004631000-memory.dmp

Filesize
4KB

Download
memory/792-55-0x0000000000AB0000-0x0000000000B5C000-memory.dmp

Filesize
688KB

Download
memory/792-58-0x0000000004670000-0x000000000471A000-memory.dmp

Filesize
680KB

Download
memory/880-62-0x00000000758A1000-0x00000000758A3000-memory.dmp

Filesize
8KB

Download