1857f3c7d8325cccdd823e81a8b99d801c82a595f7d20cd4fb8c82223c837fc3

Analysis

max time kernel
92s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
21/10/2022, 02:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1857f3c7d8325cccdd823e81a8b99d801c82a595f7d20cd4fb8c82223c837fc3.exe
Size

200KB
MD5

4649949e3ba04720010fcdb0da39ea14
SHA1

a929a8dcc6012cabce7396186de8625fee4d5f44
SHA256

1857f3c7d8325cccdd823e81a8b99d801c82a595f7d20cd4fb8c82223c837fc3
SHA512

57d7d542982a9a41c8a85f3d2381200845e629b8be6c73eec8b7798077d8bce99ca442d2192145879cc4089f2eefa6d97dc21edd6c0fecf4920a51021f1336c6
SSDEEP

6144:Oq1JiWQyrRREKb5gfG3QOKNXvFzpw5qcZD:7ihaR5FGlXvFlw5D

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2496	notepad.exe
2548	calc.exe
5088	freebsd.exe

Loads dropped DLL 3 IoCs

pid	Process
1304	1857f3c7d8325cccdd823e81a8b99d801c82a595f7d20cd4fb8c82223c837fc3.exe
1304	1857f3c7d8325cccdd823e81a8b99d801c82a595f7d20cd4fb8c82223c837fc3.exe
1304	1857f3c7d8325cccdd823e81a8b99d801c82a595f7d20cd4fb8c82223c837fc3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4644	2496	WerFault.exe	82
1644	5088	WerFault.exe	84
4488	2548	WerFault.exe	83

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 2496	1304	1857f3c7d8325cccdd823e81a8b99d801c82a595f7d20cd4fb8c82223c837fc3.exe	82
PID 1304 wrote to memory of 2496	1304	1857f3c7d8325cccdd823e81a8b99d801c82a595f7d20cd4fb8c82223c837fc3.exe	82
PID 1304 wrote to memory of 2496	1304	1857f3c7d8325cccdd823e81a8b99d801c82a595f7d20cd4fb8c82223c837fc3.exe	82
PID 1304 wrote to memory of 2548	1304	1857f3c7d8325cccdd823e81a8b99d801c82a595f7d20cd4fb8c82223c837fc3.exe	83
PID 1304 wrote to memory of 2548	1304	1857f3c7d8325cccdd823e81a8b99d801c82a595f7d20cd4fb8c82223c837fc3.exe	83
PID 1304 wrote to memory of 2548	1304	1857f3c7d8325cccdd823e81a8b99d801c82a595f7d20cd4fb8c82223c837fc3.exe	83
PID 1304 wrote to memory of 5088	1304	1857f3c7d8325cccdd823e81a8b99d801c82a595f7d20cd4fb8c82223c837fc3.exe	84
PID 1304 wrote to memory of 5088	1304	1857f3c7d8325cccdd823e81a8b99d801c82a595f7d20cd4fb8c82223c837fc3.exe	84
PID 1304 wrote to memory of 5088	1304	1857f3c7d8325cccdd823e81a8b99d801c82a595f7d20cd4fb8c82223c837fc3.exe	84

C:\Users\Admin\AppData\Local\Temp\1857f3c7d8325cccdd823e81a8b99d801c82a595f7d20cd4fb8c82223c837fc3.exe
"C:\Users\Admin\AppData\Local\Temp\1857f3c7d8325cccdd823e81a8b99d801c82a595f7d20cd4fb8c82223c837fc3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Users\Admin\AppData\Local\Temp\notepad.exe
  C:\Users\Admin\AppData\Local\Temp\notepad.exe
  2⤵
  - Executes dropped EXE
  PID:2496
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 264
    3⤵
    - Program crash
    PID:4644
- C:\Users\Admin\AppData\Local\Temp\calc.exe
  C:\Users\Admin\AppData\Local\Temp\calc.exe
  2⤵
  - Executes dropped EXE
  PID:2548
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 264
    3⤵
    - Program crash
    PID:4488
- C:\Users\Admin\AppData\Local\Temp\freebsd.exe
  C:\Users\Admin\AppData\Local\Temp\freebsd.exe
  2⤵
  - Executes dropped EXE
  PID:5088
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 264
    3⤵
    - Program crash
    PID:1644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5088 -ip 5088
1⤵
PID:3168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2496 -ip 2496
1⤵
PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2548 -ip 2548
1⤵
PID:4324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\calc.exe

Filesize
29KB

MD5
b8fe3f9aa573f4f9327be75ca7844250

SHA1
daf566985c0728f2f8c31f37d1b42e261c0a80e4

SHA256
048dc5076ccfe4b19d7fae861105ae26ac1230cb4aeb21f1eb41dae4088dcd1d

SHA512
9a25a0c4fa5e76b8125300dbfb48ec6d386ce0cd6ea3f202e42eb9e95758200d1547a767bb15bf2be3813e3ebd3cdddb9ff1109124aa15f12af88d3b9fd93f43

Download Submit
C:\Users\Admin\AppData\Local\Temp\calc.exe

Filesize
29KB

MD5
b8fe3f9aa573f4f9327be75ca7844250

SHA1
daf566985c0728f2f8c31f37d1b42e261c0a80e4

SHA256
048dc5076ccfe4b19d7fae861105ae26ac1230cb4aeb21f1eb41dae4088dcd1d

SHA512
9a25a0c4fa5e76b8125300dbfb48ec6d386ce0cd6ea3f202e42eb9e95758200d1547a767bb15bf2be3813e3ebd3cdddb9ff1109124aa15f12af88d3b9fd93f43

Download Submit
C:\Users\Admin\AppData\Local\Temp\freebsd.exe

Filesize
61KB

MD5
940aa2893e3156e8382e64570d7db5e5

SHA1
4f262eaa492b30bfedd7213b6b572c057754af56

SHA256
6faeddc4c54be7df3318d35cb9210816c6fa3367c44e671b2e51136ef715c250

SHA512
b78638ed6c105c43d617ba3bacdd63cfc4d4dd27bd8ef90a0c027296d6f29612e1f61add92436e570e7e9bbbb205aa8dd42d4789cc34f8f1f44640401c4a20e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\freebsd.exe

Filesize
61KB

MD5
940aa2893e3156e8382e64570d7db5e5

SHA1
4f262eaa492b30bfedd7213b6b572c057754af56

SHA256
6faeddc4c54be7df3318d35cb9210816c6fa3367c44e671b2e51136ef715c250

SHA512
b78638ed6c105c43d617ba3bacdd63cfc4d4dd27bd8ef90a0c027296d6f29612e1f61add92436e570e7e9bbbb205aa8dd42d4789cc34f8f1f44640401c4a20e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\notepad.exe

Filesize
24KB

MD5
c527bb91a98dd2e1a046d65d5acfd90e

SHA1
56a599d214cd77f46f6a1cb2acd7aaad24fab53d

SHA256
1232d89ec98922a91aff8527abbdad0e67ae4ab3d7621c4e816322dd22de660b

SHA512
713bb3906e772567d8b0391b933c0ff5957e2ad9bfc3d5f6700f46711c67b680f29902f064b9577b1b1aa83c770135bbccf30bed0bb9c7e24d156323ee38df49

Download Submit
C:\Users\Admin\AppData\Local\Temp\notepad.exe

Filesize
24KB

MD5
c527bb91a98dd2e1a046d65d5acfd90e

SHA1
56a599d214cd77f46f6a1cb2acd7aaad24fab53d

SHA256
1232d89ec98922a91aff8527abbdad0e67ae4ab3d7621c4e816322dd22de660b

SHA512
713bb3906e772567d8b0391b933c0ff5957e2ad9bfc3d5f6700f46711c67b680f29902f064b9577b1b1aa83c770135bbccf30bed0bb9c7e24d156323ee38df49

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv9745.tmp\DcryptDll.dll

Filesize
13KB

MD5
057a740bc9c01b2ef7dc0230b803336c

SHA1
5b9bd0c2d428319d2e038d9f8c0c4b77ccdcd176

SHA256
c88fe15df8c684942c63707b296cde5217807b8faa9ad3601be0dec947829317

SHA512
a4358398e51180911beb74eb1683d5ed9e0c9d88cee37b61c692d01a54f443c20dccb1e4b9035a57ff8b9306fd83fdab3fcdd89558530b348fa4f9df8aa9b098

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv9745.tmp\DcryptDll.dll

Filesize
13KB

MD5
057a740bc9c01b2ef7dc0230b803336c

SHA1
5b9bd0c2d428319d2e038d9f8c0c4b77ccdcd176

SHA256
c88fe15df8c684942c63707b296cde5217807b8faa9ad3601be0dec947829317

SHA512
a4358398e51180911beb74eb1683d5ed9e0c9d88cee37b61c692d01a54f443c20dccb1e4b9035a57ff8b9306fd83fdab3fcdd89558530b348fa4f9df8aa9b098

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv9745.tmp\DcryptDll.dll

Filesize
13KB

MD5
057a740bc9c01b2ef7dc0230b803336c

SHA1
5b9bd0c2d428319d2e038d9f8c0c4b77ccdcd176

SHA256
c88fe15df8c684942c63707b296cde5217807b8faa9ad3601be0dec947829317

SHA512
a4358398e51180911beb74eb1683d5ed9e0c9d88cee37b61c692d01a54f443c20dccb1e4b9035a57ff8b9306fd83fdab3fcdd89558530b348fa4f9df8aa9b098

Download Submit
memory/1304-150-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/1304-152-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/1304-151-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/1304-144-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/1304-145-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/1304-146-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/2496-147-0x0000000000440000-0x0000000000445000-memory.dmp

Filesize
20KB

Download
memory/2548-148-0x0000000000510000-0x0000000000515000-memory.dmp

Filesize
20KB

Download
memory/5088-149-0x0000000000520000-0x0000000000525000-memory.dmp

Filesize
20KB

Download