b87d037030f0c70f74411c56163e9342748b76cd4d8ee2727ed672b8311efac3

Analysis

max time kernel
172s
max time network
178s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2022, 17:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b87d037030f0c70f74411c56163e9342748b76cd4d8ee2727ed672b8311efac3.exe
Size

99KB
MD5

51b747992c160ffff02c9e577b8577c5
SHA1

6f661daab8849978d531451747228ec530bd2d96
SHA256

b87d037030f0c70f74411c56163e9342748b76cd4d8ee2727ed672b8311efac3
SHA512

28c7e34cbf906cd55af64e6226aa48b17b57984f1fc95d9c2c52a4cdb52ab90025e7f7fb2960456c93d6798a49a9882992bf3e2253929bef3b3cb72b9a268122
SSDEEP

1536:Wdb/vBxIdFlU0AfLhANuIj7Aw6RuNSHSNyszvlk1jEqoSWJY66dlaU26kxnDtoIJ:WnilMfONuXw6RuNDAsjlkDQC66DZGvJ

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2868	GammaXvid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4864	2868	WerFault.exe	79

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4880 wrote to memory of 2868	4880	b87d037030f0c70f74411c56163e9342748b76cd4d8ee2727ed672b8311efac3.exe	79
PID 4880 wrote to memory of 2868	4880	b87d037030f0c70f74411c56163e9342748b76cd4d8ee2727ed672b8311efac3.exe	79
PID 4880 wrote to memory of 2868	4880	b87d037030f0c70f74411c56163e9342748b76cd4d8ee2727ed672b8311efac3.exe	79

C:\Users\Admin\AppData\Local\Temp\b87d037030f0c70f74411c56163e9342748b76cd4d8ee2727ed672b8311efac3.exe
"C:\Users\Admin\AppData\Local\Temp\b87d037030f0c70f74411c56163e9342748b76cd4d8ee2727ed672b8311efac3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4880
- C:\Users\Admin\AppData\Local\Temp\GammaXvid.exe
  C:\Users\Admin\AppData\Local\Temp\GammaXvid.exe
  2⤵
  - Executes dropped EXE
  PID:2868
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 288
    3⤵
    - Program crash
    PID:4864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2868 -ip 2868
1⤵
PID:4812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GammaXvid.exe

Filesize
45KB

MD5
95973a2b3f841b676126b406b704913d

SHA1
5a82d6292dfcff060b0ce46cfa66ed00f6071c1a

SHA256
e72ba5c311ceb6bd2d89352ff2b1af45aaaaaf87ee1b192cd094e66774af914d

SHA512
8794f222ab4d0438d487307ff042a92b2bd7820de664354a0158984f9baee93b035984f051a7f809dfaf84ceb160527f6b23a9d16372ed173e1bbd3a25cd947d

Download Submit
C:\Users\Admin\AppData\Local\Temp\GammaXvid.exe

Filesize
45KB

MD5
95973a2b3f841b676126b406b704913d

SHA1
5a82d6292dfcff060b0ce46cfa66ed00f6071c1a

SHA256
e72ba5c311ceb6bd2d89352ff2b1af45aaaaaf87ee1b192cd094e66774af914d

SHA512
8794f222ab4d0438d487307ff042a92b2bd7820de664354a0158984f9baee93b035984f051a7f809dfaf84ceb160527f6b23a9d16372ed173e1bbd3a25cd947d

Download Submit