cf4b2398d1ba67de456db2da135bc2af11887acb1810db606570099453b5877d

Analysis

max time kernel
81s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 09:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf4b2398d1ba67de456db2da135bc2af11887acb1810db606570099453b5877d.exe
Size

369KB
MD5

64874e6fc5f280f46542195caa720290
SHA1

ef4c61fe149008cd014842cde1153665ea9a86a3
SHA256

cf4b2398d1ba67de456db2da135bc2af11887acb1810db606570099453b5877d
SHA512

1d73792de24573233a2946f08092aef9edced396090c1dcc1992fda7256a72e8a4d5759207eab54276cf6c134706dd1b4c2e3723d5257eff222028a4e9213a18
SSDEEP

6144:QJKvK9EgnRQwfJDDUZIxUeul9OW2inOivoNge9MnTHzKYhQ7TAtKR:6Eg5JH+TJJBOivovgTKYh1tKR

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
968	0187A8.exe
2040	018A18

Loads dropped DLL 11 IoCs

pid	Process
1532	cf4b2398d1ba67de456db2da135bc2af11887acb1810db606570099453b5877d.exe
1532	cf4b2398d1ba67de456db2da135bc2af11887acb1810db606570099453b5877d.exe
1532	cf4b2398d1ba67de456db2da135bc2af11887acb1810db606570099453b5877d.exe
1532	cf4b2398d1ba67de456db2da135bc2af11887acb1810db606570099453b5877d.exe
2020	WerFault.exe
2020	WerFault.exe
2020	WerFault.exe
2020	WerFault.exe
2020	WerFault.exe
2020	WerFault.exe
2020	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2020	2040	WerFault.exe	28

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1532 wrote to memory of 968	1532	cf4b2398d1ba67de456db2da135bc2af11887acb1810db606570099453b5877d.exe	27
PID 1532 wrote to memory of 968	1532	cf4b2398d1ba67de456db2da135bc2af11887acb1810db606570099453b5877d.exe	27
PID 1532 wrote to memory of 968	1532	cf4b2398d1ba67de456db2da135bc2af11887acb1810db606570099453b5877d.exe	27
PID 1532 wrote to memory of 968	1532	cf4b2398d1ba67de456db2da135bc2af11887acb1810db606570099453b5877d.exe	27
PID 1532 wrote to memory of 2040	1532	cf4b2398d1ba67de456db2da135bc2af11887acb1810db606570099453b5877d.exe	28
PID 1532 wrote to memory of 2040	1532	cf4b2398d1ba67de456db2da135bc2af11887acb1810db606570099453b5877d.exe	28
PID 1532 wrote to memory of 2040	1532	cf4b2398d1ba67de456db2da135bc2af11887acb1810db606570099453b5877d.exe	28
PID 1532 wrote to memory of 2040	1532	cf4b2398d1ba67de456db2da135bc2af11887acb1810db606570099453b5877d.exe	28
PID 2040 wrote to memory of 2020	2040	018A18	29
PID 2040 wrote to memory of 2020	2040	018A18	29
PID 2040 wrote to memory of 2020	2040	018A18	29
PID 2040 wrote to memory of 2020	2040	018A18	29

C:\Users\Admin\AppData\Local\Temp\cf4b2398d1ba67de456db2da135bc2af11887acb1810db606570099453b5877d.exe
"C:\Users\Admin\AppData\Local\Temp\cf4b2398d1ba67de456db2da135bc2af11887acb1810db606570099453b5877d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Users\Admin\AppData\Roaming\019BE0\0187A8.exe
  "C:\Users\Admin\AppData\Roaming\019BE0\0187A8.exe" -launcher
  2⤵
  - Executes dropped EXE
  PID:968
- C:\Users\Admin\AppData\Local\Temp\018A18
  "C:\Users\Admin\AppData\Local\Temp\018A18"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 92
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\018A18

Filesize
133KB

MD5
067f48e6225926e2c79f0602aeca40c3

SHA1
cbaf12d2e90db6edc6643ccc79e06de9dd7144d1

SHA256
eec2befa2e6e68eed64775dc73f58222cd5b3bc501afd4a73534e2f27b7b3b91

SHA512
d7cb9828d4778b9c68e75fb48dae65796b571dd396f8bc1651782c43256a2747a120362b7926c0618e904019034e1e1306e2851151743993d322658d4ffc6f0c

Download Submit
C:\Users\Admin\AppData\Roaming\019BE0\0187A8.exe

Filesize
230KB

MD5
fd721b8c75a69f8f47780aeea2ff67cd

SHA1
e30441d90dcae7974088130a18afd5a1b8c2c1fa

SHA256
617250957aee241e4079e607b536329429560e93f008452043629d08f5ef94dd

SHA512
0b238bd8a091e7b0dffd8675c2c5069b868943b5841d1fc106ba35c358b60e35fa2324ba7444405ed8a5548524eaf58819f0952b1f5dd551d27eb184b891e37f

Download Submit
C:\Users\Admin\AppData\Roaming\019BE0\0187A8.exe

Filesize
230KB

MD5
fd721b8c75a69f8f47780aeea2ff67cd

SHA1
e30441d90dcae7974088130a18afd5a1b8c2c1fa

SHA256
617250957aee241e4079e607b536329429560e93f008452043629d08f5ef94dd

SHA512
0b238bd8a091e7b0dffd8675c2c5069b868943b5841d1fc106ba35c358b60e35fa2324ba7444405ed8a5548524eaf58819f0952b1f5dd551d27eb184b891e37f

Download Submit
\Users\Admin\AppData\Local\Temp\018A18

Filesize
133KB

MD5
067f48e6225926e2c79f0602aeca40c3

SHA1
cbaf12d2e90db6edc6643ccc79e06de9dd7144d1

SHA256
eec2befa2e6e68eed64775dc73f58222cd5b3bc501afd4a73534e2f27b7b3b91

SHA512
d7cb9828d4778b9c68e75fb48dae65796b571dd396f8bc1651782c43256a2747a120362b7926c0618e904019034e1e1306e2851151743993d322658d4ffc6f0c

Download Submit
\Users\Admin\AppData\Local\Temp\018A18

Filesize
133KB

MD5
067f48e6225926e2c79f0602aeca40c3

SHA1
cbaf12d2e90db6edc6643ccc79e06de9dd7144d1

SHA256
eec2befa2e6e68eed64775dc73f58222cd5b3bc501afd4a73534e2f27b7b3b91

SHA512
d7cb9828d4778b9c68e75fb48dae65796b571dd396f8bc1651782c43256a2747a120362b7926c0618e904019034e1e1306e2851151743993d322658d4ffc6f0c

Download Submit
\Users\Admin\AppData\Local\Temp\018A18

Filesize
133KB

MD5
067f48e6225926e2c79f0602aeca40c3

SHA1
cbaf12d2e90db6edc6643ccc79e06de9dd7144d1

SHA256
eec2befa2e6e68eed64775dc73f58222cd5b3bc501afd4a73534e2f27b7b3b91

SHA512
d7cb9828d4778b9c68e75fb48dae65796b571dd396f8bc1651782c43256a2747a120362b7926c0618e904019034e1e1306e2851151743993d322658d4ffc6f0c

Download Submit
\Users\Admin\AppData\Local\Temp\018A18

Filesize
133KB

MD5
067f48e6225926e2c79f0602aeca40c3

SHA1
cbaf12d2e90db6edc6643ccc79e06de9dd7144d1

SHA256
eec2befa2e6e68eed64775dc73f58222cd5b3bc501afd4a73534e2f27b7b3b91

SHA512
d7cb9828d4778b9c68e75fb48dae65796b571dd396f8bc1651782c43256a2747a120362b7926c0618e904019034e1e1306e2851151743993d322658d4ffc6f0c

Download Submit
\Users\Admin\AppData\Local\Temp\018A18

Filesize
133KB

MD5
067f48e6225926e2c79f0602aeca40c3

SHA1
cbaf12d2e90db6edc6643ccc79e06de9dd7144d1

SHA256
eec2befa2e6e68eed64775dc73f58222cd5b3bc501afd4a73534e2f27b7b3b91

SHA512
d7cb9828d4778b9c68e75fb48dae65796b571dd396f8bc1651782c43256a2747a120362b7926c0618e904019034e1e1306e2851151743993d322658d4ffc6f0c

Download Submit
\Users\Admin\AppData\Local\Temp\018A18

Filesize
133KB

MD5
067f48e6225926e2c79f0602aeca40c3

SHA1
cbaf12d2e90db6edc6643ccc79e06de9dd7144d1

SHA256
eec2befa2e6e68eed64775dc73f58222cd5b3bc501afd4a73534e2f27b7b3b91

SHA512
d7cb9828d4778b9c68e75fb48dae65796b571dd396f8bc1651782c43256a2747a120362b7926c0618e904019034e1e1306e2851151743993d322658d4ffc6f0c

Download Submit
\Users\Admin\AppData\Local\Temp\018A18

Filesize
133KB

MD5
067f48e6225926e2c79f0602aeca40c3

SHA1
cbaf12d2e90db6edc6643ccc79e06de9dd7144d1

SHA256
eec2befa2e6e68eed64775dc73f58222cd5b3bc501afd4a73534e2f27b7b3b91

SHA512
d7cb9828d4778b9c68e75fb48dae65796b571dd396f8bc1651782c43256a2747a120362b7926c0618e904019034e1e1306e2851151743993d322658d4ffc6f0c

Download Submit
\Users\Admin\AppData\Local\Temp\018A18

Filesize
133KB

MD5
067f48e6225926e2c79f0602aeca40c3

SHA1
cbaf12d2e90db6edc6643ccc79e06de9dd7144d1

SHA256
eec2befa2e6e68eed64775dc73f58222cd5b3bc501afd4a73534e2f27b7b3b91

SHA512
d7cb9828d4778b9c68e75fb48dae65796b571dd396f8bc1651782c43256a2747a120362b7926c0618e904019034e1e1306e2851151743993d322658d4ffc6f0c

Download Submit
\Users\Admin\AppData\Local\Temp\018A18

Filesize
133KB

MD5
067f48e6225926e2c79f0602aeca40c3

SHA1
cbaf12d2e90db6edc6643ccc79e06de9dd7144d1

SHA256
eec2befa2e6e68eed64775dc73f58222cd5b3bc501afd4a73534e2f27b7b3b91

SHA512
d7cb9828d4778b9c68e75fb48dae65796b571dd396f8bc1651782c43256a2747a120362b7926c0618e904019034e1e1306e2851151743993d322658d4ffc6f0c

Download Submit
\Users\Admin\AppData\Roaming\019BE0\0187A8.exe

Filesize
230KB

MD5
fd721b8c75a69f8f47780aeea2ff67cd

SHA1
e30441d90dcae7974088130a18afd5a1b8c2c1fa

SHA256
617250957aee241e4079e607b536329429560e93f008452043629d08f5ef94dd

SHA512
0b238bd8a091e7b0dffd8675c2c5069b868943b5841d1fc106ba35c358b60e35fa2324ba7444405ed8a5548524eaf58819f0952b1f5dd551d27eb184b891e37f

Download Submit
\Users\Admin\AppData\Roaming\019BE0\0187A8.exe

Filesize
230KB

MD5
fd721b8c75a69f8f47780aeea2ff67cd

SHA1
e30441d90dcae7974088130a18afd5a1b8c2c1fa

SHA256
617250957aee241e4079e607b536329429560e93f008452043629d08f5ef94dd

SHA512
0b238bd8a091e7b0dffd8675c2c5069b868943b5841d1fc106ba35c358b60e35fa2324ba7444405ed8a5548524eaf58819f0952b1f5dd551d27eb184b891e37f

Download Submit
memory/968-63-0x00000000003B0000-0x00000000003D7000-memory.dmp

Filesize
156KB

Download
memory/968-66-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1532-75-0x0000000002C10000-0x0000000002C43000-memory.dmp

Filesize
204KB

Download
memory/1532-57-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1532-54-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/1532-76-0x0000000002C10000-0x0000000002C43000-memory.dmp

Filesize
204KB

Download
memory/1532-56-0x0000000000280000-0x00000000002A7000-memory.dmp

Filesize
156KB

Download
memory/1532-79-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1532-80-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2040-77-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download