d00de74643422ea903ed373cdcf072d9375a9c5f23d227c658b5fd278f7be118

Analysis

max time kernel
133s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2022, 08:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

003b624a9fbc866238d1fcc3fd3d34033fb7fb4c302402a9c4b36ce979e186f1.exe
Size

7.4MB
MD5

d88dcfc0dfe3ef8b922c35f021a2fd01
SHA1

82eb63ac6bc2e2959381a624f868e7b4df032b35
SHA256

003b624a9fbc866238d1fcc3fd3d34033fb7fb4c302402a9c4b36ce979e186f1
SHA512

cb31cf8964e8e7be6154992230c03ac0e2422756725efb64be54e485bb8651213a75d76af7cec2d50c1777c103c7f7d4463303edcc6c9d9b22bdcdc8d32c8edb
SSDEEP

196608:hHS10ijII3/I0VRcRCDLZXZR9G5DiwBGPCW3tdoZmN5J:hy1T0YI0VmRqLFZSS6W3L

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
740	is-VPI0B.tmp
4824	UniExtract.exe
208	UniExtract.exe

Loads dropped DLL 1 IoCs

pid	Process
740	is-VPI0B.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Universal Extractor\unins000.dat	is-VPI0B.tmp
File created	C:\Program Files (x86)\Universal Extractor\bin\is-RIBBG.tmp	is-VPI0B.tmp
File created	C:\Program Files (x86)\Universal Extractor\docs\is-QE4F2.tmp	is-VPI0B.tmp
File created	C:\Program Files (x86)\Universal Extractor\docs\is-D4L95.tmp	is-VPI0B.tmp
File created	C:\Program Files (x86)\Universal Extractor\docs\is-A3UHF.tmp	is-VPI0B.tmp
File created	C:\Program Files (x86)\Universal Extractor\bin\is-HI7IG.tmp	is-VPI0B.tmp
File created	C:\Program Files (x86)\Universal Extractor\is-6VOJR.tmp	is-VPI0B.tmp
File created	C:\Program Files (x86)\Universal Extractor\is-CP8UE.tmp	is-VPI0B.tmp
File created	C:\Program Files (x86)\Universal Extractor\docs\is-1L5DA.tmp	is-VPI0B.tmp
File created	C:\Program Files (x86)\Universal Extractor\docs\is-UIM02.tmp	is-VPI0B.tmp
File created	C:\Program Files (x86)\Universal Extractor\bin\is-IC8DE.tmp	is-VPI0B.tmp
File created	C:\Program Files (x86)\Universal Extractor\bin\is-9GKDT.tmp	is-VPI0B.tmp
File created	C:\Program Files (x86)\Universal Extractor\bin\is-0SVDU.tmp	is-VPI0B.tmp
File created	C:\Program Files (x86)\Universal Extractor\docs\is-752V8.tmp	is-VPI0B.tmp
File created	C:\Program Files (x86)\Universal Extractor\docs\is-8RV0U.tmp	is-VPI0B.tmp
File created	C:\Program Files (x86)\Universal Extractor\docs\is-5RU4B.tmp	is-VPI0B.tmp
File created	C:\Program Files (x86)\Universal Extractor\docs\is-4B0SU.tmp	is-VPI0B.tmp
File created	C:\Program Files (x86)\Universal Extractor\bin\is-CD3RO.tmp	is-VPI0B.tmp
File created	C:\Program Files (x86)\Universal Extractor\bin\Unp\is-92139.tmp	is-VPI0B.tmp
File created	C:\Program Files (x86)\Universal Extractor\bin\is-EP1VT.tmp	is-VPI0B.tmp
File created	C:\Program Files (x86)\Universal Extractor\bin\is-BAE44.tmp	is-VPI0B.tmp
File created	C:\Program Files (x86)\Universal Extractor\docs\is-2UNTR.tmp	is-VPI0B.tmp
File created	C:\Program Files (x86)\Universal Extractor\docs\is-CS6VK.tmp	is-VPI0B.tmp
File created	C:\Program Files (x86)\Universal Extractor\docs\is-6ME2G.tmp	is-VPI0B.tmp
File created	C:\Program Files (x86)\Universal Extractor\docs\is-CICA8.tmp	is-VPI0B.tmp
File created	C:\Program Files (x86)\Universal Extractor\docs\is-QQSFM.tmp	is-VPI0B.tmp
File created	C:\Program Files (x86)\Universal Extractor\docs\is-4T621.tmp	is-VPI0B.tmp
File created	C:\Program Files (x86)\Universal Extractor\bin\is-D0GL1.tmp	is-VPI0B.tmp
File created	C:\Program Files (x86)\Universal Extractor\bin\is-ISJS6.tmp	is-VPI0B.tmp
File created	C:\Program Files (x86)\Universal Extractor\docs\is-ML372.tmp	is-VPI0B.tmp
File created	C:\Program Files (x86)\Universal Extractor\docs\is-RBTLV.tmp	is-VPI0B.tmp
File created	C:\Program Files (x86)\Universal Extractor\bin\is-KHS1R.tmp	is-VPI0B.tmp
File created	C:\Program Files (x86)\Universal Extractor\bin\Unp\is-VO8LF.tmp	is-VPI0B.tmp
File created	C:\Program Files (x86)\Universal Extractor\docs\is-K4VPU.tmp	is-VPI0B.tmp
File created	C:\Program Files (x86)\Universal Extractor\docs\is-780G8.tmp	is-VPI0B.tmp
File created	C:\Program Files (x86)\Universal Extractor\docs\is-LNTEI.tmp	is-VPI0B.tmp
File created	C:\Program Files (x86)\Universal Extractor\docs\is-5MQU8.tmp	is-VPI0B.tmp
File created	C:\Program Files (x86)\Universal Extractor\docs\is-EV08R.tmp	is-VPI0B.tmp
File created	C:\Program Files (x86)\Universal Extractor\bin\is-2BUS2.tmp	is-VPI0B.tmp
File created	C:\Program Files (x86)\Universal Extractor\bin\is-QHKUV.tmp	is-VPI0B.tmp
File created	C:\Program Files (x86)\Universal Extractor\bin\is-763IJ.tmp	is-VPI0B.tmp
File created	C:\Program Files (x86)\Universal Extractor\bin\Unp\is-34S53.tmp	is-VPI0B.tmp
File created	C:\Program Files (x86)\Universal Extractor\bin\Unp\is-92T95.tmp	is-VPI0B.tmp
File created	C:\Program Files (x86)\Universal Extractor\docs\is-IJ0AC.tmp	is-VPI0B.tmp
File created	C:\Program Files (x86)\Universal Extractor\docs\is-ICKM3.tmp	is-VPI0B.tmp
File created	C:\Program Files (x86)\Universal Extractor\bin\is-4GNL1.tmp	is-VPI0B.tmp
File created	C:\Program Files (x86)\Universal Extractor\bin\is-5ISAQ.tmp	is-VPI0B.tmp
File created	C:\Program Files (x86)\Universal Extractor\bin\Unp\is-R2P7J.tmp	is-VPI0B.tmp
File created	C:\Program Files (x86)\Universal Extractor\docs\is-OJTIF.tmp	is-VPI0B.tmp
File created	C:\Program Files (x86)\Universal Extractor\docs\is-4R5RO.tmp	is-VPI0B.tmp
File created	C:\Program Files (x86)\Universal Extractor\docs\is-HEBHL.tmp	is-VPI0B.tmp
File created	C:\Program Files (x86)\Universal Extractor\bin\Unp\is-TJIK3.tmp	is-VPI0B.tmp
File created	C:\Program Files (x86)\Universal Extractor\docs\is-4PA7H.tmp	is-VPI0B.tmp
File created	C:\Program Files (x86)\Universal Extractor\docs\is-Q19DD.tmp	is-VPI0B.tmp
File created	C:\Program Files (x86)\Universal Extractor\is-2NI8P.tmp	is-VPI0B.tmp
File opened for modification	C:\Program Files (x86)\Universal Extractor\UniExtract.exe	is-VPI0B.tmp
File created	C:\Program Files (x86)\Universal Extractor\bin\is-8PCO4.tmp	is-VPI0B.tmp
File created	C:\Program Files (x86)\Universal Extractor\bin\is-QAHF3.tmp	is-VPI0B.tmp
File created	C:\Program Files (x86)\Universal Extractor\bin\is-SLI56.tmp	is-VPI0B.tmp
File created	C:\Program Files (x86)\Universal Extractor\bin\is-7P3LR.tmp	is-VPI0B.tmp
File created	C:\Program Files (x86)\Universal Extractor\docs\is-T89IO.tmp	is-VPI0B.tmp
File created	C:\Program Files (x86)\Universal Extractor\docs\is-S7RS6.tmp	is-VPI0B.tmp
File created	C:\Program Files (x86)\Universal Extractor\docs\is-TNT2E.tmp	is-VPI0B.tmp
File created	C:\Program Files (x86)\Universal Extractor\bin\is-NAA3S.tmp	is-VPI0B.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 15 IoCs

pid	pid_target	Process	procid_target
904	4824	WerFault.exe	84
1688	4824	WerFault.exe	84
1100	4824	WerFault.exe	84
3520	4824	WerFault.exe	84
4856	208	WerFault.exe	97
3444	208	WerFault.exe	97
3548	208	WerFault.exe	97
4372	208	WerFault.exe	97
4360	208	WerFault.exe	97
1284	208	WerFault.exe	97
3884	208	WerFault.exe	97
624	208	WerFault.exe	97
3712	208	WerFault.exe	97
1048	208	WerFault.exe	97
4556	208	WerFault.exe	97

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
208	UniExtract.exe
208	UniExtract.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 740	2468	003b624a9fbc866238d1fcc3fd3d34033fb7fb4c302402a9c4b36ce979e186f1.exe	81
PID 2468 wrote to memory of 740	2468	003b624a9fbc866238d1fcc3fd3d34033fb7fb4c302402a9c4b36ce979e186f1.exe	81
PID 2468 wrote to memory of 740	2468	003b624a9fbc866238d1fcc3fd3d34033fb7fb4c302402a9c4b36ce979e186f1.exe	81
PID 740 wrote to memory of 2332	740	is-VPI0B.tmp	82
PID 740 wrote to memory of 2332	740	is-VPI0B.tmp	82
PID 740 wrote to memory of 2332	740	is-VPI0B.tmp	82
PID 740 wrote to memory of 4824	740	is-VPI0B.tmp	84
PID 740 wrote to memory of 4824	740	is-VPI0B.tmp	84
PID 740 wrote to memory of 4824	740	is-VPI0B.tmp	84
PID 740 wrote to memory of 212	740	is-VPI0B.tmp	95
PID 740 wrote to memory of 212	740	is-VPI0B.tmp	95
PID 740 wrote to memory of 212	740	is-VPI0B.tmp	95
PID 740 wrote to memory of 208	740	is-VPI0B.tmp	97
PID 740 wrote to memory of 208	740	is-VPI0B.tmp	97
PID 740 wrote to memory of 208	740	is-VPI0B.tmp	97

C:\Users\Admin\AppData\Local\Temp\003b624a9fbc866238d1fcc3fd3d34033fb7fb4c302402a9c4b36ce979e186f1.exe
"C:\Users\Admin\AppData\Local\Temp\003b624a9fbc866238d1fcc3fd3d34033fb7fb4c302402a9c4b36ce979e186f1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Users\Admin\AppData\Local\Temp\is-HQR7B.tmp\is-VPI0B.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-HQR7B.tmp\is-VPI0B.tmp" /SL4 $801B2 "C:\Users\Admin\AppData\Local\Temp\003b624a9fbc866238d1fcc3fd3d34033fb7fb4c302402a9c4b36ce979e186f1.exe" 7469234 52224
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:740
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Query
    3⤵
    PID:2332
- - C:\Program Files (x86)\Universal Extractor\UniExtract.exe
    "C:\Program Files (x86)\Universal Extractor\UniExtract.exe"
    3⤵
    - Executes dropped EXE
    PID:4824
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 912
      4⤵
      Program crash
      PID:904
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 952
      4⤵
      Program crash
      PID:1688
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 1076
      4⤵
      Program crash
      PID:1100
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 140
      4⤵
      Program crash
      PID:3520
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Delete /F /TN "UniExtract 29"
    3⤵
    PID:212
- - C:\Program Files (x86)\Universal Extractor\UniExtract.exe
    "C:\Program Files (x86)\Universal Extractor\UniExtract.exe" 5f5d5a7c6dbe68ab6e1dbd4885ecc879
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:208
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 896
      4⤵
      Program crash
      PID:4856
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 940
      4⤵
      Program crash
      PID:3444
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 944
      4⤵
      Program crash
      PID:3548
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 1104
      4⤵
      Program crash
      PID:4372
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 1128
      4⤵
      Program crash
      PID:4360
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 1208
      4⤵
      Program crash
      PID:1284
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 1244
      4⤵
      Program crash
      PID:3884
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 1324
      4⤵
      Program crash
      PID:624
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 1332
      4⤵
      Program crash
      PID:3712
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 1360
      4⤵
      Program crash
      PID:1048
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 908
      4⤵
      Program crash
      PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4824 -ip 4824
1⤵
PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4824 -ip 4824
1⤵
PID:1036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4824 -ip 4824
1⤵
PID:2052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4824 -ip 4824
1⤵
PID:2828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 208 -ip 208
1⤵
PID:1468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 208 -ip 208
1⤵
PID:3480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 208 -ip 208
1⤵
PID:3868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 208 -ip 208
1⤵
PID:816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 208 -ip 208
1⤵
PID:3796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 208 -ip 208
1⤵
PID:2168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 208 -ip 208
1⤵
PID:3608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 208 -ip 208
1⤵
PID:960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 208 -ip 208
1⤵
PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 208 -ip 208
1⤵
PID:2928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 208 -ip 208
1⤵
PID:4328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Universal Extractor\UniExtract.exe

Filesize
3.3MB

MD5
01a2b1c08f362133d69147efeaccd9f3

SHA1
4ce4452184a1ad4b87e731fdf96d5a66a03c8419

SHA256
bf59e116361cde48bd16904af8ac899892282d37d30c6058ff3181c5435d4266

SHA512
7c3fd6f5a66520934081c722b8858eb2a0c23b9087ae14698ffc5f8c9c83786b2bdd96790f866354e8b76851cd69be527b9ba7986f2478d648066366f4d1e83b

Download Submit
C:\Program Files (x86)\Universal Extractor\UniExtract.exe

Filesize
3.3MB

MD5
01a2b1c08f362133d69147efeaccd9f3

SHA1
4ce4452184a1ad4b87e731fdf96d5a66a03c8419

SHA256
bf59e116361cde48bd16904af8ac899892282d37d30c6058ff3181c5435d4266

SHA512
7c3fd6f5a66520934081c722b8858eb2a0c23b9087ae14698ffc5f8c9c83786b2bdd96790f866354e8b76851cd69be527b9ba7986f2478d648066366f4d1e83b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-B8JTO.tmp\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HQR7B.tmp\is-VPI0B.tmp

Filesize
644KB

MD5
d2d4c4adbd8fe86cbef5547c64ff6c3e

SHA1
b959a16143a81a1dac99ff387d597e1e20b2b2e0

SHA256
abf82ee3b4593051434be8721e79a7df39e75d3078b4fc90a4e0f8a7de6aa3ba

SHA512
653bfc044a31794db372b6c3f21c5f97cfd55349953e9a755654263549bc8a5f94e58343a4fd1411ddf550f44526a94027610c212126c98adc123e92670941f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HQR7B.tmp\is-VPI0B.tmp

Filesize
644KB

MD5
d2d4c4adbd8fe86cbef5547c64ff6c3e

SHA1
b959a16143a81a1dac99ff387d597e1e20b2b2e0

SHA256
abf82ee3b4593051434be8721e79a7df39e75d3078b4fc90a4e0f8a7de6aa3ba

SHA512
653bfc044a31794db372b6c3f21c5f97cfd55349953e9a755654263549bc8a5f94e58343a4fd1411ddf550f44526a94027610c212126c98adc123e92670941f6

Download Submit
memory/208-151-0x0000000000400000-0x000000000154F000-memory.dmp

Filesize
17.3MB

Download
memory/208-150-0x0000000000400000-0x000000000154F000-memory.dmp

Filesize
17.3MB

Download
memory/2468-132-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2468-138-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4824-142-0x0000000000400000-0x000000000154F000-memory.dmp

Filesize
17.3MB

Download
memory/4824-145-0x0000000000400000-0x000000000154F000-memory.dmp

Filesize
17.3MB

Download
memory/4824-144-0x0000000000400000-0x000000000154F000-memory.dmp

Filesize
17.3MB

Download
memory/4824-143-0x0000000000400000-0x000000000154F000-memory.dmp

Filesize
17.3MB

Download