Analysis
-
max time kernel
48s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
19/09/2022, 17:52
Static task
static1
Behavioral task
behavioral1
Sample
b87d037030f0c70f74411c56163e9342748b76cd4d8ee2727ed672b8311efac3.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
b87d037030f0c70f74411c56163e9342748b76cd4d8ee2727ed672b8311efac3.exe
Resource
win10v2004-20220812-en
General
-
Target
b87d037030f0c70f74411c56163e9342748b76cd4d8ee2727ed672b8311efac3.exe
-
Size
99KB
-
MD5
51b747992c160ffff02c9e577b8577c5
-
SHA1
6f661daab8849978d531451747228ec530bd2d96
-
SHA256
b87d037030f0c70f74411c56163e9342748b76cd4d8ee2727ed672b8311efac3
-
SHA512
28c7e34cbf906cd55af64e6226aa48b17b57984f1fc95d9c2c52a4cdb52ab90025e7f7fb2960456c93d6798a49a9882992bf3e2253929bef3b3cb72b9a268122
-
SSDEEP
1536:Wdb/vBxIdFlU0AfLhANuIj7Aw6RuNSHSNyszvlk1jEqoSWJY66dlaU26kxnDtoIJ:WnilMfONuXw6RuNDAsjlkDQC66DZGvJ
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 820 GammaXvid.exe -
Loads dropped DLL 6 IoCs
pid Process 1364 b87d037030f0c70f74411c56163e9342748b76cd4d8ee2727ed672b8311efac3.exe 1364 b87d037030f0c70f74411c56163e9342748b76cd4d8ee2727ed672b8311efac3.exe 1220 WerFault.exe 1220 WerFault.exe 1220 WerFault.exe 1220 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1220 820 WerFault.exe 26 -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1364 wrote to memory of 820 1364 b87d037030f0c70f74411c56163e9342748b76cd4d8ee2727ed672b8311efac3.exe 26 PID 1364 wrote to memory of 820 1364 b87d037030f0c70f74411c56163e9342748b76cd4d8ee2727ed672b8311efac3.exe 26 PID 1364 wrote to memory of 820 1364 b87d037030f0c70f74411c56163e9342748b76cd4d8ee2727ed672b8311efac3.exe 26 PID 1364 wrote to memory of 820 1364 b87d037030f0c70f74411c56163e9342748b76cd4d8ee2727ed672b8311efac3.exe 26 PID 820 wrote to memory of 1220 820 GammaXvid.exe 28 PID 820 wrote to memory of 1220 820 GammaXvid.exe 28 PID 820 wrote to memory of 1220 820 GammaXvid.exe 28 PID 820 wrote to memory of 1220 820 GammaXvid.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\b87d037030f0c70f74411c56163e9342748b76cd4d8ee2727ed672b8311efac3.exe"C:\Users\Admin\AppData\Local\Temp\b87d037030f0c70f74411c56163e9342748b76cd4d8ee2727ed672b8311efac3.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Users\Admin\AppData\Local\Temp\GammaXvid.exeC:\Users\Admin\AppData\Local\Temp\GammaXvid.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 3963⤵
- Loads dropped DLL
- Program crash
PID:1220
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD595973a2b3f841b676126b406b704913d
SHA15a82d6292dfcff060b0ce46cfa66ed00f6071c1a
SHA256e72ba5c311ceb6bd2d89352ff2b1af45aaaaaf87ee1b192cd094e66774af914d
SHA5128794f222ab4d0438d487307ff042a92b2bd7820de664354a0158984f9baee93b035984f051a7f809dfaf84ceb160527f6b23a9d16372ed173e1bbd3a25cd947d
-
Filesize
45KB
MD595973a2b3f841b676126b406b704913d
SHA15a82d6292dfcff060b0ce46cfa66ed00f6071c1a
SHA256e72ba5c311ceb6bd2d89352ff2b1af45aaaaaf87ee1b192cd094e66774af914d
SHA5128794f222ab4d0438d487307ff042a92b2bd7820de664354a0158984f9baee93b035984f051a7f809dfaf84ceb160527f6b23a9d16372ed173e1bbd3a25cd947d
-
Filesize
45KB
MD595973a2b3f841b676126b406b704913d
SHA15a82d6292dfcff060b0ce46cfa66ed00f6071c1a
SHA256e72ba5c311ceb6bd2d89352ff2b1af45aaaaaf87ee1b192cd094e66774af914d
SHA5128794f222ab4d0438d487307ff042a92b2bd7820de664354a0158984f9baee93b035984f051a7f809dfaf84ceb160527f6b23a9d16372ed173e1bbd3a25cd947d
-
Filesize
45KB
MD595973a2b3f841b676126b406b704913d
SHA15a82d6292dfcff060b0ce46cfa66ed00f6071c1a
SHA256e72ba5c311ceb6bd2d89352ff2b1af45aaaaaf87ee1b192cd094e66774af914d
SHA5128794f222ab4d0438d487307ff042a92b2bd7820de664354a0158984f9baee93b035984f051a7f809dfaf84ceb160527f6b23a9d16372ed173e1bbd3a25cd947d
-
Filesize
45KB
MD595973a2b3f841b676126b406b704913d
SHA15a82d6292dfcff060b0ce46cfa66ed00f6071c1a
SHA256e72ba5c311ceb6bd2d89352ff2b1af45aaaaaf87ee1b192cd094e66774af914d
SHA5128794f222ab4d0438d487307ff042a92b2bd7820de664354a0158984f9baee93b035984f051a7f809dfaf84ceb160527f6b23a9d16372ed173e1bbd3a25cd947d
-
Filesize
45KB
MD595973a2b3f841b676126b406b704913d
SHA15a82d6292dfcff060b0ce46cfa66ed00f6071c1a
SHA256e72ba5c311ceb6bd2d89352ff2b1af45aaaaaf87ee1b192cd094e66774af914d
SHA5128794f222ab4d0438d487307ff042a92b2bd7820de664354a0158984f9baee93b035984f051a7f809dfaf84ceb160527f6b23a9d16372ed173e1bbd3a25cd947d
-
Filesize
45KB
MD595973a2b3f841b676126b406b704913d
SHA15a82d6292dfcff060b0ce46cfa66ed00f6071c1a
SHA256e72ba5c311ceb6bd2d89352ff2b1af45aaaaaf87ee1b192cd094e66774af914d
SHA5128794f222ab4d0438d487307ff042a92b2bd7820de664354a0158984f9baee93b035984f051a7f809dfaf84ceb160527f6b23a9d16372ed173e1bbd3a25cd947d