1dcfcb04a6925a4b4bf205a8e0c8d4c79d89e18d81783bb1cf0e67c0bd1e46f3

Analysis

max time kernel
55s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29-10-2022 12:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1dcfcb04a6925a4b4bf205a8e0c8d4c79d89e18d81783bb1cf0e67c0bd1e46f3.exe
Size

686KB
MD5

394087fbd857a28dc741796f4621daf6
SHA1

28807b65ac19fa938c2a6834bd5a107727249cee
SHA256

1dcfcb04a6925a4b4bf205a8e0c8d4c79d89e18d81783bb1cf0e67c0bd1e46f3
SHA512

bd94ea9ee4336e916ad6c4e0ae1d632e7a5032f1c76875e9ea00ae201d701d5d0198b880f73673fac0ed718fd9b084ba0af9bdf202c1090b7c93b7522e8aa562
SSDEEP

12288:YFJs3XraGmcmd/26o9juQ+pDQZP+CjFwP4DR+Yt3hlYeYKotIEuq/+4ca6X9cGYb:Yjs3XFxxpJ+pDKzj9df7nYgEuq/+koTu

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1756-55-0x0000000000400000-0x000000000055E000-memory.dmp	upx
behavioral1/memory/1756-57-0x0000000000400000-0x000000000055E000-memory.dmp	upx

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1756-57-0x0000000000400000-0x000000000055E000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1720	1756	WerFault.exe	24

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 1720	1756	1dcfcb04a6925a4b4bf205a8e0c8d4c79d89e18d81783bb1cf0e67c0bd1e46f3.exe	27
PID 1756 wrote to memory of 1720	1756	1dcfcb04a6925a4b4bf205a8e0c8d4c79d89e18d81783bb1cf0e67c0bd1e46f3.exe	27
PID 1756 wrote to memory of 1720	1756	1dcfcb04a6925a4b4bf205a8e0c8d4c79d89e18d81783bb1cf0e67c0bd1e46f3.exe	27
PID 1756 wrote to memory of 1720	1756	1dcfcb04a6925a4b4bf205a8e0c8d4c79d89e18d81783bb1cf0e67c0bd1e46f3.exe	27

C:\Users\Admin\AppData\Local\Temp\1dcfcb04a6925a4b4bf205a8e0c8d4c79d89e18d81783bb1cf0e67c0bd1e46f3.exe
"C:\Users\Admin\AppData\Local\Temp\1dcfcb04a6925a4b4bf205a8e0c8d4c79d89e18d81783bb1cf0e67c0bd1e46f3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 384
  2⤵
  - Program crash
  PID:1720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1720-56-0x0000000000000000-mapping.dmp

Download
memory/1756-54-0x0000000075CF1000-0x0000000075CF3000-memory.dmp

Filesize
8KB

Download
memory/1756-55-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1756-57-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download