f94591b202032534dc5a945891aac816808291b91975c8a47220c5835bef39d4

Analysis

max time kernel
90s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2022, 15:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f94591b202032534dc5a945891aac816808291b91975c8a47220c5835bef39d4.exe
Size

193KB
MD5

4b61bfb74b4518d0733aa550c6fc7f0b
SHA1

940e255e7f360235b33282e0b0a4aa600b9cd681
SHA256

f94591b202032534dc5a945891aac816808291b91975c8a47220c5835bef39d4
SHA512

d0b87aba7796bc62dd4c3cb84bf66fb7feee1ad49b9f47241d4b216a78c074715121915d3e7113a3d2d3b9e5d0cec5d07d45841acc04b37027d5f8d91fa0346a
SSDEEP

3072:nbLpZuEskJoU4CqQ1LNALc9gWhQh22c4uSiDmXy3PnHbhEdILWoja4jbeRmotu:nbOOxBdNeczhQk4Til/nHF/jFjimH

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2264	nsA252.tmp
1760	UnRAR.exe
3064	01.exe
2888	02.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0002000000022dd9-137.dat	upx
behavioral2/files/0x0002000000022dd9-138.dat	upx
behavioral2/memory/1760-140-0x0000000000400000-0x0000000000442000-memory.dmp	upx

Loads dropped DLL 1 IoCs

pid	Process
4584	f94591b202032534dc5a945891aac816808291b91975c8a47220c5835bef39d4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4488	2888	WerFault.exe	87
1812	3064	WerFault.exe	86

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4584 wrote to memory of 2264	4584	f94591b202032534dc5a945891aac816808291b91975c8a47220c5835bef39d4.exe	83
PID 4584 wrote to memory of 2264	4584	f94591b202032534dc5a945891aac816808291b91975c8a47220c5835bef39d4.exe	83
PID 4584 wrote to memory of 2264	4584	f94591b202032534dc5a945891aac816808291b91975c8a47220c5835bef39d4.exe	83
PID 2264 wrote to memory of 1760	2264	nsA252.tmp	85
PID 2264 wrote to memory of 1760	2264	nsA252.tmp	85
PID 2264 wrote to memory of 1760	2264	nsA252.tmp	85
PID 4584 wrote to memory of 3064	4584	f94591b202032534dc5a945891aac816808291b91975c8a47220c5835bef39d4.exe	86
PID 4584 wrote to memory of 3064	4584	f94591b202032534dc5a945891aac816808291b91975c8a47220c5835bef39d4.exe	86
PID 4584 wrote to memory of 3064	4584	f94591b202032534dc5a945891aac816808291b91975c8a47220c5835bef39d4.exe	86
PID 4584 wrote to memory of 2888	4584	f94591b202032534dc5a945891aac816808291b91975c8a47220c5835bef39d4.exe	87
PID 4584 wrote to memory of 2888	4584	f94591b202032534dc5a945891aac816808291b91975c8a47220c5835bef39d4.exe	87
PID 4584 wrote to memory of 2888	4584	f94591b202032534dc5a945891aac816808291b91975c8a47220c5835bef39d4.exe	87

C:\Users\Admin\AppData\Local\Temp\f94591b202032534dc5a945891aac816808291b91975c8a47220c5835bef39d4.exe
"C:\Users\Admin\AppData\Local\Temp\f94591b202032534dc5a945891aac816808291b91975c8a47220c5835bef39d4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4584
- C:\Users\Admin\AppData\Local\Temp\nsaA242.tmp\nsA252.tmp
  "C:\Users\Admin\AppData\Local\Temp\nsaA242.tmp\nsA252.tmp" "C:\Users\Admin\AppData\Local\Temp\UnRAR.exe" e -o+ -pqwaszx 1.rar
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Users\Admin\AppData\Local\Temp\UnRAR.exe
    "C:\Users\Admin\AppData\Local\Temp\UnRAR.exe" e -o+ -pqwaszx 1.rar
    3⤵
    - Executes dropped EXE
    PID:1760
- C:\Users\Admin\AppData\Local\Temp\01.exe
  01.exe
  2⤵
  - Executes dropped EXE
  PID:3064
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3064 -s 424
    3⤵
    - Program crash
    PID:1812
- C:\Users\Admin\AppData\Local\Temp\02.exe
  02.exe
  2⤵
  - Executes dropped EXE
  PID:2888
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 332
    3⤵
    - Program crash
    PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2888 -ip 2888
1⤵
PID:3112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3064 -ip 3064
1⤵
PID:3540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\01.exe

Filesize
61KB

MD5
66050a0058410559f98b3d3ac9e2bd6d

SHA1
18b4dc220d44b271cbb98f7e352afc273d95b699

SHA256
dbfc5b6173827f2361539f76944da0c76f3656ea63d39e0bc96ca18eda532c40

SHA512
8e95df63a10b02a5ffc17df2d0729d8b65411d52ee8d11d3375472bdb592454df5bb4ba0b4e882765d41a159ba01df42959d1e10dc9e876cbc977091a2e6f6e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\01.exe

Filesize
61KB

MD5
66050a0058410559f98b3d3ac9e2bd6d

SHA1
18b4dc220d44b271cbb98f7e352afc273d95b699

SHA256
dbfc5b6173827f2361539f76944da0c76f3656ea63d39e0bc96ca18eda532c40

SHA512
8e95df63a10b02a5ffc17df2d0729d8b65411d52ee8d11d3375472bdb592454df5bb4ba0b4e882765d41a159ba01df42959d1e10dc9e876cbc977091a2e6f6e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\02.exe

Filesize
6KB

MD5
3c4eef3f3c3610800290619dfd66d551

SHA1
c0f8229179366a2d43566d95da66347938c374ae

SHA256
483afdadbec58f8a1a85c97c7ba5a60890b515128b08ffe617da4e7769513f00

SHA512
c16cc9edb7fe2870fe7a05aeac1cf7ffd6e35c3c259b5ad2ca24d390b8b744469b285f93b93ae82f83200a7a6bca53989c9e850bf89946998de6fb913aaa7dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\02.exe

Filesize
6KB

MD5
3c4eef3f3c3610800290619dfd66d551

SHA1
c0f8229179366a2d43566d95da66347938c374ae

SHA256
483afdadbec58f8a1a85c97c7ba5a60890b515128b08ffe617da4e7769513f00

SHA512
c16cc9edb7fe2870fe7a05aeac1cf7ffd6e35c3c259b5ad2ca24d390b8b744469b285f93b93ae82f83200a7a6bca53989c9e850bf89946998de6fb913aaa7dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.rar

Filesize
33KB

MD5
41d92ccb2fe2c0f5a646e659ddae6ed2

SHA1
bcdb555a87271749c7844ae8e13846abd7e7b039

SHA256
0485f52f3a00a1e1a540f108553e4aedf8bbb5c837a3533671774351b270ea3f

SHA512
31c8c51e056f8774f52f2d32e2b27a404616603949462476d37f0d35b3b5234f2c472cadabead52bccda9c04b96d2da064ea0cba397e6ed6039536781e4c1e50

Download Submit
C:\Users\Admin\AppData\Local\Temp\UnRAR.exe

Filesize
90KB

MD5
d87ddf597baf91e7d32b20c0b4d855da

SHA1
4e855b5c03e0a52d8057bc86b83a07f10d00e455

SHA256
264d49f5a489c51ba5f7b96e496120b5331625cbe67ea5b577acc63c12a21dac

SHA512
f6520aa83307eed340e214b4622f939a62dbbfdf9ce63e7c598250485615d617cb6eb503612e4440d55937e67d9bef270359c74a0efc4d082dc7e5d1355a3a26

Download Submit
C:\Users\Admin\AppData\Local\Temp\UnRAR.exe

Filesize
90KB

MD5
d87ddf597baf91e7d32b20c0b4d855da

SHA1
4e855b5c03e0a52d8057bc86b83a07f10d00e455

SHA256
264d49f5a489c51ba5f7b96e496120b5331625cbe67ea5b577acc63c12a21dac

SHA512
f6520aa83307eed340e214b4622f939a62dbbfdf9ce63e7c598250485615d617cb6eb503612e4440d55937e67d9bef270359c74a0efc4d082dc7e5d1355a3a26

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaA242.tmp\nsA252.tmp

Filesize
6KB

MD5
2b81b005983d2147fd587f6a54e2480e

SHA1
cb21d91fa43bec9b6948fdca4f312949e71beb9f

SHA256
e2b3645086c5e0c75e3676db80fdb5d6a31e0f5bc7ee1689d077de1d02f46e7a

SHA512
b436f636824291301543a3ecae879139bce22b9246cd01da4f1da65aa51122ce18feb53886eba398f51e991677c694ed244b0521a32d27be40c98523c0a845fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaA242.tmp\nsA252.tmp

Filesize
6KB

MD5
2b81b005983d2147fd587f6a54e2480e

SHA1
cb21d91fa43bec9b6948fdca4f312949e71beb9f

SHA256
e2b3645086c5e0c75e3676db80fdb5d6a31e0f5bc7ee1689d077de1d02f46e7a

SHA512
b436f636824291301543a3ecae879139bce22b9246cd01da4f1da65aa51122ce18feb53886eba398f51e991677c694ed244b0521a32d27be40c98523c0a845fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaA242.tmp\nsExec.dll

Filesize
6KB

MD5
03a1a9be1f1e72f926ec9161825eedd6

SHA1
d0574bafc615168c021788d413a3a73d275c492d

SHA256
8a8bce943b78093ecd86a42c203931ee625f445acf5cb5b705e3b7eaf29c7110

SHA512
8d82e15ee109d2236a995990fdd0c9fb39c9d3c4dea1c063f0806314e7a9d09a112f4f09091c265adba9f86ec7a0977294cce112e20ffb2f8b3ad62ab3dac396

Download Submit
memory/1760-140-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2888-148-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3064-147-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download