Analysis

  • max time kernel
    41s
  • max time network
    44s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    14/08/2022, 19:30

General

  • Target

    67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe

  • Size

    3.6MB

  • MD5

    a4e7c52086fbf175cda3af56f9874664

  • SHA1

    24ada4a9bbbe6633644a1489fd369d6914d6798a

  • SHA256

    67d4d3b8f1560edaaa9dab45e4df8373ca6a82a1dfce6f11e4b4191b1b1d4eb8

  • SHA512

    52230da4900cd71304e82e1e95121e6fec91b0477e433ed5b5d8cebb1254b5d6917bffc6ecc9a441b98f2e2104efbebab26c5b3a9c89a4b6b4d0d91ee52d7d8e

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 10 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe
    "C:\Users\Admin\AppData\Local\Temp\67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1668
    • C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
      "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:860
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 600
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:1324

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

          Filesize

          399KB

          MD5

          75233a6594888de3589ac556a04d36d8

          SHA1

          490efc1af779c47849ba20ca53a4dbac9e08185d

          SHA256

          fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80

          SHA512

          c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b

        • C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

          Filesize

          399KB

          MD5

          75233a6594888de3589ac556a04d36d8

          SHA1

          490efc1af779c47849ba20ca53a4dbac9e08185d

          SHA256

          fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80

          SHA512

          c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b

        • \Users\Admin\AppData\Local\Temp\Runtime Broker.exe

          Filesize

          399KB

          MD5

          75233a6594888de3589ac556a04d36d8

          SHA1

          490efc1af779c47849ba20ca53a4dbac9e08185d

          SHA256

          fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80

          SHA512

          c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b

        • \Users\Admin\AppData\Local\Temp\Runtime Broker.exe

          Filesize

          399KB

          MD5

          75233a6594888de3589ac556a04d36d8

          SHA1

          490efc1af779c47849ba20ca53a4dbac9e08185d

          SHA256

          fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80

          SHA512

          c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b

        • \Users\Admin\AppData\Local\Temp\Runtime Broker.exe

          Filesize

          399KB

          MD5

          75233a6594888de3589ac556a04d36d8

          SHA1

          490efc1af779c47849ba20ca53a4dbac9e08185d

          SHA256

          fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80

          SHA512

          c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b

        • \Users\Admin\AppData\Local\Temp\Runtime Broker.exe

          Filesize

          399KB

          MD5

          75233a6594888de3589ac556a04d36d8

          SHA1

          490efc1af779c47849ba20ca53a4dbac9e08185d

          SHA256

          fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80

          SHA512

          c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b

        • \Users\Admin\AppData\Local\Temp\Runtime Broker.exe

          Filesize

          399KB

          MD5

          75233a6594888de3589ac556a04d36d8

          SHA1

          490efc1af779c47849ba20ca53a4dbac9e08185d

          SHA256

          fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80

          SHA512

          c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b

        • \Users\Admin\AppData\Local\Temp\Runtime Broker.exe

          Filesize

          399KB

          MD5

          75233a6594888de3589ac556a04d36d8

          SHA1

          490efc1af779c47849ba20ca53a4dbac9e08185d

          SHA256

          fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80

          SHA512

          c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b

        • \Users\Admin\AppData\Local\Temp\Runtime Broker.exe

          Filesize

          399KB

          MD5

          75233a6594888de3589ac556a04d36d8

          SHA1

          490efc1af779c47849ba20ca53a4dbac9e08185d

          SHA256

          fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80

          SHA512

          c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b

        • \Users\Admin\AppData\Local\Temp\Runtime Broker.exe

          Filesize

          399KB

          MD5

          75233a6594888de3589ac556a04d36d8

          SHA1

          490efc1af779c47849ba20ca53a4dbac9e08185d

          SHA256

          fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80

          SHA512

          c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b

        • \Users\Admin\AppData\Local\Temp\Runtime Broker.exe

          Filesize

          399KB

          MD5

          75233a6594888de3589ac556a04d36d8

          SHA1

          490efc1af779c47849ba20ca53a4dbac9e08185d

          SHA256

          fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80

          SHA512

          c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b

        • \Users\Admin\AppData\Local\Temp\Runtime Broker.exe

          Filesize

          399KB

          MD5

          75233a6594888de3589ac556a04d36d8

          SHA1

          490efc1af779c47849ba20ca53a4dbac9e08185d

          SHA256

          fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80

          SHA512

          c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b

        • memory/860-63-0x0000000000DD0000-0x0000000000E3A000-memory.dmp

          Filesize

          424KB

        • memory/860-64-0x0000000000970000-0x00000000009D0000-memory.dmp

          Filesize

          384KB

        • memory/1668-54-0x0000000075071000-0x0000000075073000-memory.dmp

          Filesize

          8KB