7790696bd3838fbdb54c2ef14e71e999c654e6639d41c166e9f1a713be1f0d00

Analysis

max time kernel
4294185s
max time network
127s
platform
windows7_x64
resource
win7-20220310-en
submitted
12-03-2022 14:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

One-Page-Lease-Agreement-Texas.exe
Size

261.0MB
MD5

7194384ed0ce511e24b0e119d0d068f6
SHA1

9ea9e3f52602988a922e8d8fda000f060be2b248
SHA256

7cc35fbce4b353c541f1ee62366248cc072d1c7ce38b1d5ef5db4a2414f26e08
SHA512

0faea84e368d301b7b056630b82c9f2a49f01252e66f5699ddf81f879d22fc74e08a810252e87a58cd9e5b147e9c1682678308781d08fd65e2edb2c8017c98d7

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

qhjjfwcr.exe

pid process

1748 qhjjfwcr.exe
Loads dropped DLL 6 IoCs

Processes:

qhjjfwcr.exeMsiExec.exe

pid process

1748 qhjjfwcr.exe
1748 qhjjfwcr.exe
1916 MsiExec.exe
1916 MsiExec.exe
1916 MsiExec.exe
1916 MsiExec.exe

pid	process
1748	qhjjfwcr.exe

pid	process
1748	qhjjfwcr.exe
1748	qhjjfwcr.exe
1916	MsiExec.exe
1916	MsiExec.exe
1916	MsiExec.exe
1916	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exeqhjjfwcr.exe

description	ioc	process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	qhjjfwcr.exe
File opened (read-only)	\??\J:	qhjjfwcr.exe
File opened (read-only)	\??\Y:	qhjjfwcr.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	qhjjfwcr.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	qhjjfwcr.exe
File opened (read-only)	\??\X:	qhjjfwcr.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	qhjjfwcr.exe
File opened (read-only)	\??\P:	qhjjfwcr.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\F:	qhjjfwcr.exe
File opened (read-only)	\??\K:	qhjjfwcr.exe
File opened (read-only)	\??\U:	qhjjfwcr.exe
File opened (read-only)	\??\V:	qhjjfwcr.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	qhjjfwcr.exe
File opened (read-only)	\??\H:	qhjjfwcr.exe
File opened (read-only)	\??\L:	qhjjfwcr.exe
File opened (read-only)	\??\O:	qhjjfwcr.exe
File opened (read-only)	\??\Q:	qhjjfwcr.exe
File opened (read-only)	\??\R:	qhjjfwcr.exe
File opened (read-only)	\??\S:	qhjjfwcr.exe
File opened (read-only)	\??\Z:	qhjjfwcr.exe
File opened (read-only)	\??\G:	qhjjfwcr.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	qhjjfwcr.exe
File opened (read-only)	\??\N:	qhjjfwcr.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	qhjjfwcr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1616 1176 WerFault.exe One-Page-Lease-Agreement-Texas.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

qhjjfwcr.exe

pid process

1748 qhjjfwcr.exe

pid	pid_target	process	target process
1616	1176	WerFault.exe	One-Page-Lease-Agreement-Texas.exe

pid	process
1748	qhjjfwcr.exe

Suspicious use of AdjustPrivilegeToken 61 IoCs

Processes:

qhjjfwcr.exemsiexec.exe

description	pid	process
Token: SeCreateTokenPrivilege	1748	qhjjfwcr.exe
Token: SeAssignPrimaryTokenPrivilege	1748	qhjjfwcr.exe
Token: SeLockMemoryPrivilege	1748	qhjjfwcr.exe
Token: SeIncreaseQuotaPrivilege	1748	qhjjfwcr.exe
Token: SeMachineAccountPrivilege	1748	qhjjfwcr.exe
Token: SeTcbPrivilege	1748	qhjjfwcr.exe
Token: SeSecurityPrivilege	1748	qhjjfwcr.exe
Token: SeTakeOwnershipPrivilege	1748	qhjjfwcr.exe
Token: SeLoadDriverPrivilege	1748	qhjjfwcr.exe
Token: SeSystemProfilePrivilege	1748	qhjjfwcr.exe
Token: SeSystemtimePrivilege	1748	qhjjfwcr.exe
Token: SeProfSingleProcessPrivilege	1748	qhjjfwcr.exe
Token: SeIncBasePriorityPrivilege	1748	qhjjfwcr.exe
Token: SeCreatePagefilePrivilege	1748	qhjjfwcr.exe
Token: SeCreatePermanentPrivilege	1748	qhjjfwcr.exe
Token: SeBackupPrivilege	1748	qhjjfwcr.exe
Token: SeRestorePrivilege	1748	qhjjfwcr.exe
Token: SeShutdownPrivilege	1748	qhjjfwcr.exe
Token: SeDebugPrivilege	1748	qhjjfwcr.exe
Token: SeAuditPrivilege	1748	qhjjfwcr.exe
Token: SeSystemEnvironmentPrivilege	1748	qhjjfwcr.exe
Token: SeChangeNotifyPrivilege	1748	qhjjfwcr.exe
Token: SeRemoteShutdownPrivilege	1748	qhjjfwcr.exe
Token: SeUndockPrivilege	1748	qhjjfwcr.exe
Token: SeSyncAgentPrivilege	1748	qhjjfwcr.exe
Token: SeEnableDelegationPrivilege	1748	qhjjfwcr.exe
Token: SeManageVolumePrivilege	1748	qhjjfwcr.exe
Token: SeImpersonatePrivilege	1748	qhjjfwcr.exe
Token: SeCreateGlobalPrivilege	1748	qhjjfwcr.exe
Token: SeRestorePrivilege	432	msiexec.exe
Token: SeTakeOwnershipPrivilege	432	msiexec.exe
Token: SeSecurityPrivilege	432	msiexec.exe
Token: SeCreateTokenPrivilege	1748	qhjjfwcr.exe
Token: SeAssignPrimaryTokenPrivilege	1748	qhjjfwcr.exe
Token: SeLockMemoryPrivilege	1748	qhjjfwcr.exe
Token: SeIncreaseQuotaPrivilege	1748	qhjjfwcr.exe
Token: SeMachineAccountPrivilege	1748	qhjjfwcr.exe
Token: SeTcbPrivilege	1748	qhjjfwcr.exe
Token: SeSecurityPrivilege	1748	qhjjfwcr.exe
Token: SeTakeOwnershipPrivilege	1748	qhjjfwcr.exe
Token: SeLoadDriverPrivilege	1748	qhjjfwcr.exe
Token: SeSystemProfilePrivilege	1748	qhjjfwcr.exe
Token: SeSystemtimePrivilege	1748	qhjjfwcr.exe
Token: SeProfSingleProcessPrivilege	1748	qhjjfwcr.exe
Token: SeIncBasePriorityPrivilege	1748	qhjjfwcr.exe
Token: SeCreatePagefilePrivilege	1748	qhjjfwcr.exe
Token: SeCreatePermanentPrivilege	1748	qhjjfwcr.exe
Token: SeBackupPrivilege	1748	qhjjfwcr.exe
Token: SeRestorePrivilege	1748	qhjjfwcr.exe
Token: SeShutdownPrivilege	1748	qhjjfwcr.exe
Token: SeDebugPrivilege	1748	qhjjfwcr.exe
Token: SeAuditPrivilege	1748	qhjjfwcr.exe
Token: SeSystemEnvironmentPrivilege	1748	qhjjfwcr.exe
Token: SeChangeNotifyPrivilege	1748	qhjjfwcr.exe
Token: SeRemoteShutdownPrivilege	1748	qhjjfwcr.exe
Token: SeUndockPrivilege	1748	qhjjfwcr.exe
Token: SeSyncAgentPrivilege	1748	qhjjfwcr.exe
Token: SeEnableDelegationPrivilege	1748	qhjjfwcr.exe
Token: SeManageVolumePrivilege	1748	qhjjfwcr.exe
Token: SeImpersonatePrivilege	1748	qhjjfwcr.exe
Token: SeCreateGlobalPrivilege	1748	qhjjfwcr.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

qhjjfwcr.exe

pid process

1748 qhjjfwcr.exe

pid	process
1748	qhjjfwcr.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

One-Page-Lease-Agreement-Texas.exemsiexec.exeOne-Page-Lease-Agreement-Texas.exe

description	pid	process	target process
PID 1268 wrote to memory of 1748	1268	One-Page-Lease-Agreement-Texas.exe	qhjjfwcr.exe
PID 1268 wrote to memory of 1748	1268	One-Page-Lease-Agreement-Texas.exe	qhjjfwcr.exe
PID 1268 wrote to memory of 1748	1268	One-Page-Lease-Agreement-Texas.exe	qhjjfwcr.exe
PID 1268 wrote to memory of 1748	1268	One-Page-Lease-Agreement-Texas.exe	qhjjfwcr.exe
PID 1268 wrote to memory of 1748	1268	One-Page-Lease-Agreement-Texas.exe	qhjjfwcr.exe
PID 1268 wrote to memory of 1748	1268	One-Page-Lease-Agreement-Texas.exe	qhjjfwcr.exe
PID 1268 wrote to memory of 1748	1268	One-Page-Lease-Agreement-Texas.exe	qhjjfwcr.exe
PID 1268 wrote to memory of 1176	1268	One-Page-Lease-Agreement-Texas.exe	One-Page-Lease-Agreement-Texas.exe
PID 1268 wrote to memory of 1176	1268	One-Page-Lease-Agreement-Texas.exe	One-Page-Lease-Agreement-Texas.exe
PID 1268 wrote to memory of 1176	1268	One-Page-Lease-Agreement-Texas.exe	One-Page-Lease-Agreement-Texas.exe
PID 432 wrote to memory of 1916	432	msiexec.exe	MsiExec.exe
PID 432 wrote to memory of 1916	432	msiexec.exe	MsiExec.exe
PID 432 wrote to memory of 1916	432	msiexec.exe	MsiExec.exe
PID 432 wrote to memory of 1916	432	msiexec.exe	MsiExec.exe
PID 432 wrote to memory of 1916	432	msiexec.exe	MsiExec.exe
PID 432 wrote to memory of 1916	432	msiexec.exe	MsiExec.exe
PID 432 wrote to memory of 1916	432	msiexec.exe	MsiExec.exe
PID 1176 wrote to memory of 1616	1176	One-Page-Lease-Agreement-Texas.exe	WerFault.exe
PID 1176 wrote to memory of 1616	1176	One-Page-Lease-Agreement-Texas.exe	WerFault.exe
PID 1176 wrote to memory of 1616	1176	One-Page-Lease-Agreement-Texas.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\One-Page-Lease-Agreement-Texas.exe
"C:\Users\Admin\AppData\Local\Temp\One-Page-Lease-Agreement-Texas.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Users\Admin\AppData\Local\Temp\qhjjfwcr.exe
  "C:\Users\Admin\AppData\Local\Temp\qhjjfwcr.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1748
- C:\Users\Admin\AppData\Local\Temp\One-Page-Lease-Agreement-Texas.exe
  "C:\Users\Admin\AppData\Local\Temp\One-Page-Lease-Agreement-Texas.exe" /r
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1176
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 1176 -s 592
    3⤵
    - Program crash
    PID:1616

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:432
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 89C08C382447DE4EBB0ED41BA4125F2E C
  2⤵
  - Loads dropped DLL
  PID:1916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSIB413.tmp

MD5
30e6c05c794e912b8f57f9c6e9449afc

SHA1
28a2bd4b61fafa633adad1ad0a7c8ceeaec48675

SHA256
5d3b2f3f1b00855aac7b95a585fa12ee532f59e06bb035efc8a20f30bfbf047d

SHA512
6da0d628caf6d540b8297fa9f8e7ed413c8a5a29da113d2371f3d931eebfa543842a90661e87a4517db28aca2eae429b476c540127e6ad046d31168249357d22

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB942.tmp

MD5
30e6c05c794e912b8f57f9c6e9449afc

SHA1
28a2bd4b61fafa633adad1ad0a7c8ceeaec48675

SHA256
5d3b2f3f1b00855aac7b95a585fa12ee532f59e06bb035efc8a20f30bfbf047d

SHA512
6da0d628caf6d540b8297fa9f8e7ed413c8a5a29da113d2371f3d931eebfa543842a90661e87a4517db28aca2eae429b476c540127e6ad046d31168249357d22

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIBB27.tmp

MD5
75515f449d49e8f431a5cf109c603680

SHA1
0a32e62b50d3589cd25441ac2e463a695367da7f

SHA256
a0ff99c90d262e4f242b680b377dc93c6ee4fa7dd9041e7865709f3aaa1e1017

SHA512
8473aeb3853a0ec22a54398099b81a443bf56187257f2ca6b25f72a9ea4371cbedb671c49849d944e08849120a53e9456c2b697d3b4fdc911079e7543c2ff9c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIBB95.tmp

MD5
30e6c05c794e912b8f57f9c6e9449afc

SHA1
28a2bd4b61fafa633adad1ad0a7c8ceeaec48675

SHA256
5d3b2f3f1b00855aac7b95a585fa12ee532f59e06bb035efc8a20f30bfbf047d

SHA512
6da0d628caf6d540b8297fa9f8e7ed413c8a5a29da113d2371f3d931eebfa543842a90661e87a4517db28aca2eae429b476c540127e6ad046d31168249357d22

Download Submit
C:\Users\Admin\AppData\Local\Temp\qhjjfwcr.exe

MD5
0dae793f4d81ad44e9381ec8e017425f

SHA1
2908846d8d17393e4ae9a620ff6e80d039b8c4ce

SHA256
4f043b71d369c994a4911667829e0c7b639cd4c9929808ea6233800f21922336

SHA512
8df514c3009493295f70480da58decc31ab882433646843d5c3103c9a237cd1cc8d9cd64544f545adc3cd8de3c785a1cb3edc843f508357859db30f24182cda7

Download Submit
C:\Users\Admin\AppData\Local\Temp\qhjjfwcr.exe

MD5
0dae793f4d81ad44e9381ec8e017425f

SHA1
2908846d8d17393e4ae9a620ff6e80d039b8c4ce

SHA256
4f043b71d369c994a4911667829e0c7b639cd4c9929808ea6233800f21922336

SHA512
8df514c3009493295f70480da58decc31ab882433646843d5c3103c9a237cd1cc8d9cd64544f545adc3cd8de3c785a1cb3edc843f508357859db30f24182cda7

Download Submit
\Users\Admin\AppData\Local\Temp\MSIB413.tmp

MD5
30e6c05c794e912b8f57f9c6e9449afc

SHA1
28a2bd4b61fafa633adad1ad0a7c8ceeaec48675

SHA256
5d3b2f3f1b00855aac7b95a585fa12ee532f59e06bb035efc8a20f30bfbf047d

SHA512
6da0d628caf6d540b8297fa9f8e7ed413c8a5a29da113d2371f3d931eebfa543842a90661e87a4517db28aca2eae429b476c540127e6ad046d31168249357d22

Download Submit
\Users\Admin\AppData\Local\Temp\MSIB942.tmp

MD5
30e6c05c794e912b8f57f9c6e9449afc

SHA1
28a2bd4b61fafa633adad1ad0a7c8ceeaec48675

SHA256
5d3b2f3f1b00855aac7b95a585fa12ee532f59e06bb035efc8a20f30bfbf047d

SHA512
6da0d628caf6d540b8297fa9f8e7ed413c8a5a29da113d2371f3d931eebfa543842a90661e87a4517db28aca2eae429b476c540127e6ad046d31168249357d22

Download Submit
\Users\Admin\AppData\Local\Temp\MSIBB27.tmp

MD5
75515f449d49e8f431a5cf109c603680

SHA1
0a32e62b50d3589cd25441ac2e463a695367da7f

SHA256
a0ff99c90d262e4f242b680b377dc93c6ee4fa7dd9041e7865709f3aaa1e1017

SHA512
8473aeb3853a0ec22a54398099b81a443bf56187257f2ca6b25f72a9ea4371cbedb671c49849d944e08849120a53e9456c2b697d3b4fdc911079e7543c2ff9c4

Download Submit
\Users\Admin\AppData\Local\Temp\MSIBB95.tmp

MD5
30e6c05c794e912b8f57f9c6e9449afc

SHA1
28a2bd4b61fafa633adad1ad0a7c8ceeaec48675

SHA256
5d3b2f3f1b00855aac7b95a585fa12ee532f59e06bb035efc8a20f30bfbf047d

SHA512
6da0d628caf6d540b8297fa9f8e7ed413c8a5a29da113d2371f3d931eebfa543842a90661e87a4517db28aca2eae429b476c540127e6ad046d31168249357d22

Download Submit
\Users\Admin\AppData\Roaming\Free PDF Soulutions\PDF Merge 1.0.0\install\decoder.dll

MD5
0dbb6ca9af2cb9b585f814a3ca4b49ad

SHA1
25692b7117913b96631c3f9a2fe19833c7bbe63c

SHA256
9f3a6b5eb8785436618c153cdce216e2bd80c54f23c45b2a7e48db2c0b01c685

SHA512
6c399d0fd96558e6e7be61bd8c58e32771a8f85db947bd9a31cada9c7f8f0a552f24d2c78c282df46ded4fc1189cee61e6a54f54a8245b1f7f7a104821c00680

Download Submit
\Users\Admin\AppData\Roaming\Free PDF Soulutions\PDF Merge 1.0.0\install\decoder.dll

MD5
0dbb6ca9af2cb9b585f814a3ca4b49ad

SHA1
25692b7117913b96631c3f9a2fe19833c7bbe63c

SHA256
9f3a6b5eb8785436618c153cdce216e2bd80c54f23c45b2a7e48db2c0b01c685

SHA512
6c399d0fd96558e6e7be61bd8c58e32771a8f85db947bd9a31cada9c7f8f0a552f24d2c78c282df46ded4fc1189cee61e6a54f54a8245b1f7f7a104821c00680

Download Submit
memory/432-66-0x000007FEFC121000-0x000007FEFC123000-memory.dmp

Filesize
8KB

Download
memory/1176-60-0x000000001B2F0000-0x000000001B2F2000-memory.dmp

Filesize
8KB

Download
memory/1176-59-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

Filesize
9.9MB

Download
memory/1268-54-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

Filesize
9.9MB

Download
memory/1268-56-0x000000001B170000-0x000000001B172000-memory.dmp

Filesize
8KB

Download
memory/1268-55-0x0000000000AF0000-0x0000000000F98000-memory.dmp

Filesize
4.7MB

Download
memory/1748-63-0x0000000074881000-0x0000000074883000-memory.dmp

Filesize
8KB

Download
memory/1748-62-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/1748-58-0x0000000075A31000-0x0000000075A33000-memory.dmp

Filesize
8KB

Download