f6576e6ce51ac76c58a89532eaaddbc066fc3ce2fb8750d1adf84f46cd8a3f60

Analysis

max time kernel
35s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30/10/2022, 15:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6576e6ce51ac76c58a89532eaaddbc066fc3ce2fb8750d1adf84f46cd8a3f60.exe
Size

203KB
MD5

82133810336bb9d1c2523c17a4808570
SHA1

53863f2253b101e21e3acbec5553b6d60eacbbab
SHA256

f6576e6ce51ac76c58a89532eaaddbc066fc3ce2fb8750d1adf84f46cd8a3f60
SHA512

17cc140ea661b628027a6de872a037a891b284d4d8c487f55b5d1acc616cc4154c94976a4f84271f837b11e9e3c7297d35fb3c232794e85cb0f7297fd2857e86
SSDEEP

6144:ecWMJJhqryYP/daqh5JghBNe4oa9RE04XU:eczJJhqrVPluhBNzRb

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1344	plor.exe

Loads dropped DLL 8 IoCs

pid	Process
856	f6576e6ce51ac76c58a89532eaaddbc066fc3ce2fb8750d1adf84f46cd8a3f60.exe
856	f6576e6ce51ac76c58a89532eaaddbc066fc3ce2fb8750d1adf84f46cd8a3f60.exe
1344	plor.exe
856	f6576e6ce51ac76c58a89532eaaddbc066fc3ce2fb8750d1adf84f46cd8a3f60.exe
788	WerFault.exe
788	WerFault.exe
788	WerFault.exe
788	WerFault.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\dsound.dll.dat	plor.exe
File created	C:\Windows\SysWOW64\dsound.dll.dat	plor.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\System\kb770577.dep	plor.exe
File created	C:\Program Files (x86)\Common Files\System\kb770577.dep	plor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
788	1344	WerFault.exe	26

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1344	plor.exe
1344	plor.exe
1344	plor.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1344	plor.exe
Token: SeDebugPrivilege	1344	plor.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1344	plor.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 856 wrote to memory of 1344	856	f6576e6ce51ac76c58a89532eaaddbc066fc3ce2fb8750d1adf84f46cd8a3f60.exe	26
PID 856 wrote to memory of 1344	856	f6576e6ce51ac76c58a89532eaaddbc066fc3ce2fb8750d1adf84f46cd8a3f60.exe	26
PID 856 wrote to memory of 1344	856	f6576e6ce51ac76c58a89532eaaddbc066fc3ce2fb8750d1adf84f46cd8a3f60.exe	26
PID 856 wrote to memory of 1344	856	f6576e6ce51ac76c58a89532eaaddbc066fc3ce2fb8750d1adf84f46cd8a3f60.exe	26
PID 856 wrote to memory of 1344	856	f6576e6ce51ac76c58a89532eaaddbc066fc3ce2fb8750d1adf84f46cd8a3f60.exe	26
PID 856 wrote to memory of 1344	856	f6576e6ce51ac76c58a89532eaaddbc066fc3ce2fb8750d1adf84f46cd8a3f60.exe	26
PID 856 wrote to memory of 1344	856	f6576e6ce51ac76c58a89532eaaddbc066fc3ce2fb8750d1adf84f46cd8a3f60.exe	26
PID 1344 wrote to memory of 788	1344	plor.exe	27
PID 1344 wrote to memory of 788	1344	plor.exe	27
PID 1344 wrote to memory of 788	1344	plor.exe	27
PID 1344 wrote to memory of 788	1344	plor.exe	27
PID 1344 wrote to memory of 788	1344	plor.exe	27
PID 1344 wrote to memory of 788	1344	plor.exe	27
PID 1344 wrote to memory of 788	1344	plor.exe	27

C:\Users\Admin\AppData\Local\Temp\f6576e6ce51ac76c58a89532eaaddbc066fc3ce2fb8750d1adf84f46cd8a3f60.exe
"C:\Users\Admin\AppData\Local\Temp\f6576e6ce51ac76c58a89532eaaddbc066fc3ce2fb8750d1adf84f46cd8a3f60.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:856
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\plor.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\plor.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1344
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 292
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:788

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\plor.exe

Filesize
30KB

MD5
0a995c7d56b41d83c3188ad01b5c9d97

SHA1
87bd0b3c254ccf0e14ede1bca4c69dda2d7c36e7

SHA256
d308e6714a6ffa1e3fa97fcffba4c22b7149bfb38f7a3bac771f7fff386f2fd5

SHA512
bb0599ec47e60a8be55eaf273201f8703f45c5b6c22ad8186b3e723c60f63ee45b7ec0885cc68a0d375c0167a6bd20d471458e61167d40e590461b8410662a21

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\plor.exe

Filesize
30KB

MD5
0a995c7d56b41d83c3188ad01b5c9d97

SHA1
87bd0b3c254ccf0e14ede1bca4c69dda2d7c36e7

SHA256
d308e6714a6ffa1e3fa97fcffba4c22b7149bfb38f7a3bac771f7fff386f2fd5

SHA512
bb0599ec47e60a8be55eaf273201f8703f45c5b6c22ad8186b3e723c60f63ee45b7ec0885cc68a0d375c0167a6bd20d471458e61167d40e590461b8410662a21

Download Submit
C:\Users\Admin\AppData\Local\Temp\kb770577.gon

Filesize
18KB

MD5
26106c14132c074cfe4c300a593af044

SHA1
d943f817d70b764f7d914395928b08c880f77f47

SHA256
f884e81b2b6980c614cc5e07c36386b771edfc795ca9ab3d441ec7dfebce9773

SHA512
5fd8a8e0258b9be2a2cd3351b6ae0505d75d58898588bfd89dcb3fd343193d9b3a7f420272a477c48d3e89ba14c9331279c5e1dad6722055d90bfb379d5ff610

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\plor.exe

Filesize
30KB

MD5
0a995c7d56b41d83c3188ad01b5c9d97

SHA1
87bd0b3c254ccf0e14ede1bca4c69dda2d7c36e7

SHA256
d308e6714a6ffa1e3fa97fcffba4c22b7149bfb38f7a3bac771f7fff386f2fd5

SHA512
bb0599ec47e60a8be55eaf273201f8703f45c5b6c22ad8186b3e723c60f63ee45b7ec0885cc68a0d375c0167a6bd20d471458e61167d40e590461b8410662a21

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\plor.exe

Filesize
30KB

MD5
0a995c7d56b41d83c3188ad01b5c9d97

SHA1
87bd0b3c254ccf0e14ede1bca4c69dda2d7c36e7

SHA256
d308e6714a6ffa1e3fa97fcffba4c22b7149bfb38f7a3bac771f7fff386f2fd5

SHA512
bb0599ec47e60a8be55eaf273201f8703f45c5b6c22ad8186b3e723c60f63ee45b7ec0885cc68a0d375c0167a6bd20d471458e61167d40e590461b8410662a21

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\plor.exe

Filesize
30KB

MD5
0a995c7d56b41d83c3188ad01b5c9d97

SHA1
87bd0b3c254ccf0e14ede1bca4c69dda2d7c36e7

SHA256
d308e6714a6ffa1e3fa97fcffba4c22b7149bfb38f7a3bac771f7fff386f2fd5

SHA512
bb0599ec47e60a8be55eaf273201f8703f45c5b6c22ad8186b3e723c60f63ee45b7ec0885cc68a0d375c0167a6bd20d471458e61167d40e590461b8410662a21

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\plor.exe

Filesize
30KB

MD5
0a995c7d56b41d83c3188ad01b5c9d97

SHA1
87bd0b3c254ccf0e14ede1bca4c69dda2d7c36e7

SHA256
d308e6714a6ffa1e3fa97fcffba4c22b7149bfb38f7a3bac771f7fff386f2fd5

SHA512
bb0599ec47e60a8be55eaf273201f8703f45c5b6c22ad8186b3e723c60f63ee45b7ec0885cc68a0d375c0167a6bd20d471458e61167d40e590461b8410662a21

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\plor.exe

Filesize
30KB

MD5
0a995c7d56b41d83c3188ad01b5c9d97

SHA1
87bd0b3c254ccf0e14ede1bca4c69dda2d7c36e7

SHA256
d308e6714a6ffa1e3fa97fcffba4c22b7149bfb38f7a3bac771f7fff386f2fd5

SHA512
bb0599ec47e60a8be55eaf273201f8703f45c5b6c22ad8186b3e723c60f63ee45b7ec0885cc68a0d375c0167a6bd20d471458e61167d40e590461b8410662a21

Download Submit
\Users\Admin\AppData\Local\Temp\kb770577.gon

Filesize
18KB

MD5
26106c14132c074cfe4c300a593af044

SHA1
d943f817d70b764f7d914395928b08c880f77f47

SHA256
f884e81b2b6980c614cc5e07c36386b771edfc795ca9ab3d441ec7dfebce9773

SHA512
5fd8a8e0258b9be2a2cd3351b6ae0505d75d58898588bfd89dcb3fd343193d9b3a7f420272a477c48d3e89ba14c9331279c5e1dad6722055d90bfb379d5ff610

Download Submit
\Users\Admin\AppData\Local\Temp\kb770577.gon

Filesize
18KB

MD5
26106c14132c074cfe4c300a593af044

SHA1
d943f817d70b764f7d914395928b08c880f77f47

SHA256
f884e81b2b6980c614cc5e07c36386b771edfc795ca9ab3d441ec7dfebce9773

SHA512
5fd8a8e0258b9be2a2cd3351b6ae0505d75d58898588bfd89dcb3fd343193d9b3a7f420272a477c48d3e89ba14c9331279c5e1dad6722055d90bfb379d5ff610

Download Submit
\Users\Admin\AppData\Local\Temp\kb770577.gon

Filesize
18KB

MD5
26106c14132c074cfe4c300a593af044

SHA1
d943f817d70b764f7d914395928b08c880f77f47

SHA256
f884e81b2b6980c614cc5e07c36386b771edfc795ca9ab3d441ec7dfebce9773

SHA512
5fd8a8e0258b9be2a2cd3351b6ae0505d75d58898588bfd89dcb3fd343193d9b3a7f420272a477c48d3e89ba14c9331279c5e1dad6722055d90bfb379d5ff610

Download Submit
memory/856-54-0x0000000076151000-0x0000000076153000-memory.dmp

Filesize
8KB

Download
memory/856-68-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/856-62-0x0000000001FC0000-0x0000000001FCD000-memory.dmp

Filesize
52KB

Download
memory/856-61-0x0000000001FC0000-0x0000000001FCD000-memory.dmp

Filesize
52KB

Download
memory/1344-65-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/1344-63-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download