Analysis

  • max time kernel
    42s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    14/08/2022, 19:31

General

  • Target

    67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe

  • Size

    3.6MB

  • MD5

    a4e7c52086fbf175cda3af56f9874664

  • SHA1

    24ada4a9bbbe6633644a1489fd369d6914d6798a

  • SHA256

    67d4d3b8f1560edaaa9dab45e4df8373ca6a82a1dfce6f11e4b4191b1b1d4eb8

  • SHA512

    52230da4900cd71304e82e1e95121e6fec91b0477e433ed5b5d8cebb1254b5d6917bffc6ecc9a441b98f2e2104efbebab26c5b3a9c89a4b6b4d0d91ee52d7d8e

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 10 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe
    "C:\Users\Admin\AppData\Local\Temp\67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:816
    • C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
      "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1776
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 600
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:1176

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

          Filesize

          399KB

          MD5

          75233a6594888de3589ac556a04d36d8

          SHA1

          490efc1af779c47849ba20ca53a4dbac9e08185d

          SHA256

          fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80

          SHA512

          c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b

        • C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

          Filesize

          399KB

          MD5

          75233a6594888de3589ac556a04d36d8

          SHA1

          490efc1af779c47849ba20ca53a4dbac9e08185d

          SHA256

          fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80

          SHA512

          c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b

        • \Users\Admin\AppData\Local\Temp\Runtime Broker.exe

          Filesize

          399KB

          MD5

          75233a6594888de3589ac556a04d36d8

          SHA1

          490efc1af779c47849ba20ca53a4dbac9e08185d

          SHA256

          fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80

          SHA512

          c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b

        • \Users\Admin\AppData\Local\Temp\Runtime Broker.exe

          Filesize

          399KB

          MD5

          75233a6594888de3589ac556a04d36d8

          SHA1

          490efc1af779c47849ba20ca53a4dbac9e08185d

          SHA256

          fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80

          SHA512

          c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b

        • \Users\Admin\AppData\Local\Temp\Runtime Broker.exe

          Filesize

          399KB

          MD5

          75233a6594888de3589ac556a04d36d8

          SHA1

          490efc1af779c47849ba20ca53a4dbac9e08185d

          SHA256

          fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80

          SHA512

          c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b

        • \Users\Admin\AppData\Local\Temp\Runtime Broker.exe

          Filesize

          399KB

          MD5

          75233a6594888de3589ac556a04d36d8

          SHA1

          490efc1af779c47849ba20ca53a4dbac9e08185d

          SHA256

          fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80

          SHA512

          c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b

        • \Users\Admin\AppData\Local\Temp\Runtime Broker.exe

          Filesize

          399KB

          MD5

          75233a6594888de3589ac556a04d36d8

          SHA1

          490efc1af779c47849ba20ca53a4dbac9e08185d

          SHA256

          fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80

          SHA512

          c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b

        • \Users\Admin\AppData\Local\Temp\Runtime Broker.exe

          Filesize

          399KB

          MD5

          75233a6594888de3589ac556a04d36d8

          SHA1

          490efc1af779c47849ba20ca53a4dbac9e08185d

          SHA256

          fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80

          SHA512

          c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b

        • \Users\Admin\AppData\Local\Temp\Runtime Broker.exe

          Filesize

          399KB

          MD5

          75233a6594888de3589ac556a04d36d8

          SHA1

          490efc1af779c47849ba20ca53a4dbac9e08185d

          SHA256

          fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80

          SHA512

          c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b

        • \Users\Admin\AppData\Local\Temp\Runtime Broker.exe

          Filesize

          399KB

          MD5

          75233a6594888de3589ac556a04d36d8

          SHA1

          490efc1af779c47849ba20ca53a4dbac9e08185d

          SHA256

          fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80

          SHA512

          c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b

        • \Users\Admin\AppData\Local\Temp\Runtime Broker.exe

          Filesize

          399KB

          MD5

          75233a6594888de3589ac556a04d36d8

          SHA1

          490efc1af779c47849ba20ca53a4dbac9e08185d

          SHA256

          fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80

          SHA512

          c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b

        • \Users\Admin\AppData\Local\Temp\Runtime Broker.exe

          Filesize

          399KB

          MD5

          75233a6594888de3589ac556a04d36d8

          SHA1

          490efc1af779c47849ba20ca53a4dbac9e08185d

          SHA256

          fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80

          SHA512

          c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b

        • memory/816-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

          Filesize

          8KB

        • memory/1776-63-0x0000000000A10000-0x0000000000A7A000-memory.dmp

          Filesize

          424KB

        • memory/1776-64-0x0000000000940000-0x00000000009A0000-memory.dmp

          Filesize

          384KB