ab52fbed12e2f1e7169fb11005c9a0551ac3983b457da5644de10773faa8d44d

Analysis

max time kernel
24s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/10/2022, 23:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab52fbed12e2f1e7169fb11005c9a0551ac3983b457da5644de10773faa8d44d.exe
Size

217KB
MD5

3b73a39e49d514af3e2632616d12c9f4
SHA1

3d955bad2f33e6232c8fa13995174b1158a94aa6
SHA256

ab52fbed12e2f1e7169fb11005c9a0551ac3983b457da5644de10773faa8d44d
SHA512

149c59a5345f220e6f61ac0ebdadfe6f5a80281df0cf2da6dc36f77d82efe24e99128bdd0e88dd324c13564e1e31650dc27e54f52bf2be667e305204bb9a174f
SSDEEP

6144:8d93ZBZMbqYgomHmXbOkARuNaEruapAoMU22IUzYsD:8r3ZBIR2hErRpVF0sD

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1396	13.exe

Loads dropped DLL 9 IoCs

pid	Process
912	ab52fbed12e2f1e7169fb11005c9a0551ac3983b457da5644de10773faa8d44d.exe
912	ab52fbed12e2f1e7169fb11005c9a0551ac3983b457da5644de10773faa8d44d.exe
1396	13.exe
1396	13.exe
1396	13.exe
1324	WerFault.exe
1324	WerFault.exe
1324	WerFault.exe
1324	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1324	1396	WerFault.exe	27

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 912 wrote to memory of 1396	912	ab52fbed12e2f1e7169fb11005c9a0551ac3983b457da5644de10773faa8d44d.exe	27
PID 912 wrote to memory of 1396	912	ab52fbed12e2f1e7169fb11005c9a0551ac3983b457da5644de10773faa8d44d.exe	27
PID 912 wrote to memory of 1396	912	ab52fbed12e2f1e7169fb11005c9a0551ac3983b457da5644de10773faa8d44d.exe	27
PID 912 wrote to memory of 1396	912	ab52fbed12e2f1e7169fb11005c9a0551ac3983b457da5644de10773faa8d44d.exe	27
PID 912 wrote to memory of 1396	912	ab52fbed12e2f1e7169fb11005c9a0551ac3983b457da5644de10773faa8d44d.exe	27
PID 912 wrote to memory of 1396	912	ab52fbed12e2f1e7169fb11005c9a0551ac3983b457da5644de10773faa8d44d.exe	27
PID 912 wrote to memory of 1396	912	ab52fbed12e2f1e7169fb11005c9a0551ac3983b457da5644de10773faa8d44d.exe	27
PID 1396 wrote to memory of 1324	1396	13.exe	28
PID 1396 wrote to memory of 1324	1396	13.exe	28
PID 1396 wrote to memory of 1324	1396	13.exe	28
PID 1396 wrote to memory of 1324	1396	13.exe	28
PID 1396 wrote to memory of 1324	1396	13.exe	28
PID 1396 wrote to memory of 1324	1396	13.exe	28
PID 1396 wrote to memory of 1324	1396	13.exe	28

C:\Users\Admin\AppData\Local\Temp\ab52fbed12e2f1e7169fb11005c9a0551ac3983b457da5644de10773faa8d44d.exe
"C:\Users\Admin\AppData\Local\Temp\ab52fbed12e2f1e7169fb11005c9a0551ac3983b457da5644de10773faa8d44d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:912
- C:\Users\Admin\AppData\Local\Temp\13.exe
  "C:\Users\Admin\AppData\Local\Temp\13.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1396
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 256
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\13.exe

Filesize
122KB

MD5
916bb03a4c491ef1f24bc8435d6d4e67

SHA1
a0b1e427bdf251f19f3d2baa28c94a04d4cc95ec

SHA256
2238497bead1f39ac6f7b2ce0f3ebfefde39e832892b7c1e34907fa7a491ebde

SHA512
ba4487b66224fd1258ba23d677f8bd15fba76c6ebe0d87bee07a3f4073317edab6323a5ac7f98550cfe1845ccec3cea1ebf0b597ea0ed7ea4ecb3fa475838652

Download Submit
C:\Users\Admin\AppData\Local\Temp\13.exe

Filesize
122KB

MD5
916bb03a4c491ef1f24bc8435d6d4e67

SHA1
a0b1e427bdf251f19f3d2baa28c94a04d4cc95ec

SHA256
2238497bead1f39ac6f7b2ce0f3ebfefde39e832892b7c1e34907fa7a491ebde

SHA512
ba4487b66224fd1258ba23d677f8bd15fba76c6ebe0d87bee07a3f4073317edab6323a5ac7f98550cfe1845ccec3cea1ebf0b597ea0ed7ea4ecb3fa475838652

Download Submit
\Users\Admin\AppData\Local\Temp\13.exe

Filesize
122KB

MD5
916bb03a4c491ef1f24bc8435d6d4e67

SHA1
a0b1e427bdf251f19f3d2baa28c94a04d4cc95ec

SHA256
2238497bead1f39ac6f7b2ce0f3ebfefde39e832892b7c1e34907fa7a491ebde

SHA512
ba4487b66224fd1258ba23d677f8bd15fba76c6ebe0d87bee07a3f4073317edab6323a5ac7f98550cfe1845ccec3cea1ebf0b597ea0ed7ea4ecb3fa475838652

Download Submit
\Users\Admin\AppData\Local\Temp\13.exe

Filesize
122KB

MD5
916bb03a4c491ef1f24bc8435d6d4e67

SHA1
a0b1e427bdf251f19f3d2baa28c94a04d4cc95ec

SHA256
2238497bead1f39ac6f7b2ce0f3ebfefde39e832892b7c1e34907fa7a491ebde

SHA512
ba4487b66224fd1258ba23d677f8bd15fba76c6ebe0d87bee07a3f4073317edab6323a5ac7f98550cfe1845ccec3cea1ebf0b597ea0ed7ea4ecb3fa475838652

Download Submit
\Users\Admin\AppData\Local\Temp\13.exe

Filesize
122KB

MD5
916bb03a4c491ef1f24bc8435d6d4e67

SHA1
a0b1e427bdf251f19f3d2baa28c94a04d4cc95ec

SHA256
2238497bead1f39ac6f7b2ce0f3ebfefde39e832892b7c1e34907fa7a491ebde

SHA512
ba4487b66224fd1258ba23d677f8bd15fba76c6ebe0d87bee07a3f4073317edab6323a5ac7f98550cfe1845ccec3cea1ebf0b597ea0ed7ea4ecb3fa475838652

Download Submit
\Users\Admin\AppData\Local\Temp\13.exe

Filesize
122KB

MD5
916bb03a4c491ef1f24bc8435d6d4e67

SHA1
a0b1e427bdf251f19f3d2baa28c94a04d4cc95ec

SHA256
2238497bead1f39ac6f7b2ce0f3ebfefde39e832892b7c1e34907fa7a491ebde

SHA512
ba4487b66224fd1258ba23d677f8bd15fba76c6ebe0d87bee07a3f4073317edab6323a5ac7f98550cfe1845ccec3cea1ebf0b597ea0ed7ea4ecb3fa475838652

Download Submit
\Users\Admin\AppData\Local\Temp\13.exe

Filesize
122KB

MD5
916bb03a4c491ef1f24bc8435d6d4e67

SHA1
a0b1e427bdf251f19f3d2baa28c94a04d4cc95ec

SHA256
2238497bead1f39ac6f7b2ce0f3ebfefde39e832892b7c1e34907fa7a491ebde

SHA512
ba4487b66224fd1258ba23d677f8bd15fba76c6ebe0d87bee07a3f4073317edab6323a5ac7f98550cfe1845ccec3cea1ebf0b597ea0ed7ea4ecb3fa475838652

Download Submit
\Users\Admin\AppData\Local\Temp\13.exe

Filesize
122KB

MD5
916bb03a4c491ef1f24bc8435d6d4e67

SHA1
a0b1e427bdf251f19f3d2baa28c94a04d4cc95ec

SHA256
2238497bead1f39ac6f7b2ce0f3ebfefde39e832892b7c1e34907fa7a491ebde

SHA512
ba4487b66224fd1258ba23d677f8bd15fba76c6ebe0d87bee07a3f4073317edab6323a5ac7f98550cfe1845ccec3cea1ebf0b597ea0ed7ea4ecb3fa475838652

Download Submit
\Users\Admin\AppData\Local\Temp\13.exe

Filesize
122KB

MD5
916bb03a4c491ef1f24bc8435d6d4e67

SHA1
a0b1e427bdf251f19f3d2baa28c94a04d4cc95ec

SHA256
2238497bead1f39ac6f7b2ce0f3ebfefde39e832892b7c1e34907fa7a491ebde

SHA512
ba4487b66224fd1258ba23d677f8bd15fba76c6ebe0d87bee07a3f4073317edab6323a5ac7f98550cfe1845ccec3cea1ebf0b597ea0ed7ea4ecb3fa475838652

Download Submit
\Users\Admin\AppData\Local\Temp\13.exe

Filesize
122KB

MD5
916bb03a4c491ef1f24bc8435d6d4e67

SHA1
a0b1e427bdf251f19f3d2baa28c94a04d4cc95ec

SHA256
2238497bead1f39ac6f7b2ce0f3ebfefde39e832892b7c1e34907fa7a491ebde

SHA512
ba4487b66224fd1258ba23d677f8bd15fba76c6ebe0d87bee07a3f4073317edab6323a5ac7f98550cfe1845ccec3cea1ebf0b597ea0ed7ea4ecb3fa475838652

Download Submit
\Users\Admin\AppData\Local\Temp\13.exe

Filesize
122KB

MD5
916bb03a4c491ef1f24bc8435d6d4e67

SHA1
a0b1e427bdf251f19f3d2baa28c94a04d4cc95ec

SHA256
2238497bead1f39ac6f7b2ce0f3ebfefde39e832892b7c1e34907fa7a491ebde

SHA512
ba4487b66224fd1258ba23d677f8bd15fba76c6ebe0d87bee07a3f4073317edab6323a5ac7f98550cfe1845ccec3cea1ebf0b597ea0ed7ea4ecb3fa475838652

Download Submit
memory/912-54-0x0000000075661000-0x0000000075663000-memory.dmp

Filesize
8KB

Download
memory/1396-69-0x0000000000270000-0x00000000002C4000-memory.dmp

Filesize
336KB

Download
memory/1396-70-0x0000000000270000-0x00000000002C4000-memory.dmp

Filesize
336KB

Download
memory/1396-71-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1396-72-0x0000000000270000-0x00000000002C4000-memory.dmp

Filesize
336KB

Download