Analysis
-
max time kernel
105s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
-
submitted
30/10/2022, 20:31
General
-
Target
99415ba5f42e97491bc627748747ca67fd9786ed82297f71f42540083600c12f.exe
-
Size
275KB
-
MD5
a0ea761272519c0be72e169c5ea35bda
-
SHA1
2b5dab951752425e7736ea5a20df9866eb35e0e4
-
SHA256
99415ba5f42e97491bc627748747ca67fd9786ed82297f71f42540083600c12f
-
SHA512
572699868c941277f79dd54f7af12f0e2adf3c941b0cd1444ed9cbc89b850af82d00468bde1bf5724d6248fb4e9c3c5498a9061146b0825112a6e89bbb59d7a5
-
SSDEEP
3072:+E0QjAzXSjGPzsF7tV/2IChsTdwBYOIPPjoZanwMaySfBSrvz/RFD:h06AzXSjGAJVODhsTyw7unyS5SrLZR
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 6 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\99415ba5f42e97491bc627748747ca67fd9786ed82297f71f42540083600c12f.exe"C:\Users\Admin\AppData\Local\Temp\99415ba5f42e97491bc627748747ca67fd9786ed82297f71f42540083600c12f.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 3043⤵
- Loads dropped DLL
- Program crash
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
164KB
MD5f24be424a93b8428df58d74ddb115713
SHA1ff822611f1c28999902fa25e659256fdaf08425c
SHA2567e1272a7c0d78a039dc9147f1865478a404e82d0575b0474288271e095f7e364
SHA51214e0e1c9dfb4bde28d5e15027506b585e93e59eabcecf00de7cb517faab60f0784a2fc09c712b1b1ec631381078723d6cfbde1f07da81eb09f38d8096a2d0a95
-
Filesize
164KB
MD5f24be424a93b8428df58d74ddb115713
SHA1ff822611f1c28999902fa25e659256fdaf08425c
SHA2567e1272a7c0d78a039dc9147f1865478a404e82d0575b0474288271e095f7e364
SHA51214e0e1c9dfb4bde28d5e15027506b585e93e59eabcecf00de7cb517faab60f0784a2fc09c712b1b1ec631381078723d6cfbde1f07da81eb09f38d8096a2d0a95
-
Filesize
164KB
MD5f24be424a93b8428df58d74ddb115713
SHA1ff822611f1c28999902fa25e659256fdaf08425c
SHA2567e1272a7c0d78a039dc9147f1865478a404e82d0575b0474288271e095f7e364
SHA51214e0e1c9dfb4bde28d5e15027506b585e93e59eabcecf00de7cb517faab60f0784a2fc09c712b1b1ec631381078723d6cfbde1f07da81eb09f38d8096a2d0a95
-
Filesize
164KB
MD5f24be424a93b8428df58d74ddb115713
SHA1ff822611f1c28999902fa25e659256fdaf08425c
SHA2567e1272a7c0d78a039dc9147f1865478a404e82d0575b0474288271e095f7e364
SHA51214e0e1c9dfb4bde28d5e15027506b585e93e59eabcecf00de7cb517faab60f0784a2fc09c712b1b1ec631381078723d6cfbde1f07da81eb09f38d8096a2d0a95
-
Filesize
164KB
MD5f24be424a93b8428df58d74ddb115713
SHA1ff822611f1c28999902fa25e659256fdaf08425c
SHA2567e1272a7c0d78a039dc9147f1865478a404e82d0575b0474288271e095f7e364
SHA51214e0e1c9dfb4bde28d5e15027506b585e93e59eabcecf00de7cb517faab60f0784a2fc09c712b1b1ec631381078723d6cfbde1f07da81eb09f38d8096a2d0a95
-
Filesize
164KB
MD5f24be424a93b8428df58d74ddb115713
SHA1ff822611f1c28999902fa25e659256fdaf08425c
SHA2567e1272a7c0d78a039dc9147f1865478a404e82d0575b0474288271e095f7e364
SHA51214e0e1c9dfb4bde28d5e15027506b585e93e59eabcecf00de7cb517faab60f0784a2fc09c712b1b1ec631381078723d6cfbde1f07da81eb09f38d8096a2d0a95
-
Filesize
164KB
MD5f24be424a93b8428df58d74ddb115713
SHA1ff822611f1c28999902fa25e659256fdaf08425c
SHA2567e1272a7c0d78a039dc9147f1865478a404e82d0575b0474288271e095f7e364
SHA51214e0e1c9dfb4bde28d5e15027506b585e93e59eabcecf00de7cb517faab60f0784a2fc09c712b1b1ec631381078723d6cfbde1f07da81eb09f38d8096a2d0a95
-
Filesize
32KB
MD5b6a03576e595afacb37ada2f1d5a0529
SHA1d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8
SHA2561707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad
SHA512181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c
-
Filesize
104KB
-
Filesize
8KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
124KB