Analysis
-
max time kernel
41s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
14/08/2022, 19:30
Static task
static1
Behavioral task
behavioral1
Sample
67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe
Resource
win7-20220812-en
General
-
Target
67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe
-
Size
3.6MB
-
MD5
a4e7c52086fbf175cda3af56f9874664
-
SHA1
24ada4a9bbbe6633644a1489fd369d6914d6798a
-
SHA256
67d4d3b8f1560edaaa9dab45e4df8373ca6a82a1dfce6f11e4b4191b1b1d4eb8
-
SHA512
52230da4900cd71304e82e1e95121e6fec91b0477e433ed5b5d8cebb1254b5d6917bffc6ecc9a441b98f2e2104efbebab26c5b3a9c89a4b6b4d0d91ee52d7d8e
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 860 Runtime Broker.exe -
Loads dropped DLL 10 IoCs
pid Process 1668 67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe 1668 67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe 1668 67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe 1668 67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe 1668 67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe 1324 WerFault.exe 1324 WerFault.exe 1324 WerFault.exe 1324 WerFault.exe 1324 WerFault.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\Adobe Inc\Adobe Installer\Uninstall.ini 67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe File opened for modification C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe 67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe File opened for modification C:\Program Files (x86)\Adobe Inc\Adobe Installer\Uninstall.exe 67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1324 860 WerFault.exe 27 -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1668 wrote to memory of 860 1668 67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe 27 PID 1668 wrote to memory of 860 1668 67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe 27 PID 1668 wrote to memory of 860 1668 67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe 27 PID 1668 wrote to memory of 860 1668 67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe 27 PID 860 wrote to memory of 1324 860 Runtime Broker.exe 28 PID 860 wrote to memory of 1324 860 Runtime Broker.exe 28 PID 860 wrote to memory of 1324 860 Runtime Broker.exe 28 PID 860 wrote to memory of 1324 860 Runtime Broker.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe"C:\Users\Admin\AppData\Local\Temp\67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 6003⤵
- Loads dropped DLL
- Program crash
PID:1324
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
399KB
MD575233a6594888de3589ac556a04d36d8
SHA1490efc1af779c47849ba20ca53a4dbac9e08185d
SHA256fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80
SHA512c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b
-
Filesize
399KB
MD575233a6594888de3589ac556a04d36d8
SHA1490efc1af779c47849ba20ca53a4dbac9e08185d
SHA256fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80
SHA512c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b
-
Filesize
399KB
MD575233a6594888de3589ac556a04d36d8
SHA1490efc1af779c47849ba20ca53a4dbac9e08185d
SHA256fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80
SHA512c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b
-
Filesize
399KB
MD575233a6594888de3589ac556a04d36d8
SHA1490efc1af779c47849ba20ca53a4dbac9e08185d
SHA256fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80
SHA512c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b
-
Filesize
399KB
MD575233a6594888de3589ac556a04d36d8
SHA1490efc1af779c47849ba20ca53a4dbac9e08185d
SHA256fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80
SHA512c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b
-
Filesize
399KB
MD575233a6594888de3589ac556a04d36d8
SHA1490efc1af779c47849ba20ca53a4dbac9e08185d
SHA256fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80
SHA512c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b
-
Filesize
399KB
MD575233a6594888de3589ac556a04d36d8
SHA1490efc1af779c47849ba20ca53a4dbac9e08185d
SHA256fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80
SHA512c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b
-
Filesize
399KB
MD575233a6594888de3589ac556a04d36d8
SHA1490efc1af779c47849ba20ca53a4dbac9e08185d
SHA256fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80
SHA512c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b
-
Filesize
399KB
MD575233a6594888de3589ac556a04d36d8
SHA1490efc1af779c47849ba20ca53a4dbac9e08185d
SHA256fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80
SHA512c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b
-
Filesize
399KB
MD575233a6594888de3589ac556a04d36d8
SHA1490efc1af779c47849ba20ca53a4dbac9e08185d
SHA256fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80
SHA512c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b
-
Filesize
399KB
MD575233a6594888de3589ac556a04d36d8
SHA1490efc1af779c47849ba20ca53a4dbac9e08185d
SHA256fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80
SHA512c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b
-
Filesize
399KB
MD575233a6594888de3589ac556a04d36d8
SHA1490efc1af779c47849ba20ca53a4dbac9e08185d
SHA256fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80
SHA512c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b