99b97e30537927b5be9f30ab567fc359764b029d6e07506b07b7fb7d192fec83

Analysis

max time kernel
140s
max time network
128s
platform
windows7_x64
resource
win7-20220812-es
resource tags

arch:x64arch:x86image:win7-20220812-eslocale:es-esos:windows7-x64systemwindows
submitted
31-10-2022 17:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

factura.exe
Size

323.8MB
MD5

e1931fc3014602cf32c674fd33f44997
SHA1

198801ea4486986ee04b66fb878ad07d375e7292
SHA256

19c534716cf4ae570e269085517aef371065cab6e04e026460887b885ef11486
SHA512

6d94a21a0fdb4d7f18923350c562bc559e1f84fed49d3140027771ba60a18c339cea226b3288f1d90603d6b44be1deaa676b9106b3029a2ff7429678d9a25d99
SSDEEP

98304:ERKzSABguHEuJWcGX9oRYAO24IvaJn/vTgCDsYVnuKDMagFO1oTJejpOkWJaBJrg:guHb8g4lJ/vr4YIagFO10ejpRgab2Zwk

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
668	spoolsv793976.exe

Loads dropped DLL 9 IoCs

pid	Process
1652	factura.exe
668	spoolsv793976.exe
1420	WerFault.exe
1420	WerFault.exe
1420	WerFault.exe
1420	WerFault.exe
1420	WerFault.exe
1420	WerFault.exe
1420	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1420	668	WerFault.exe	28

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	spoolsv793976.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	spoolsv793976.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	spoolsv793976.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	spoolsv793976.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	spoolsv793976.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	spoolsv793976.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 668	1652	factura.exe	28
PID 1652 wrote to memory of 668	1652	factura.exe	28
PID 1652 wrote to memory of 668	1652	factura.exe	28
PID 1652 wrote to memory of 668	1652	factura.exe	28
PID 668 wrote to memory of 1420	668	spoolsv793976.exe	29
PID 668 wrote to memory of 1420	668	spoolsv793976.exe	29
PID 668 wrote to memory of 1420	668	spoolsv793976.exe	29
PID 668 wrote to memory of 1420	668	spoolsv793976.exe	29

C:\Users\Admin\AppData\Local\Temp\factura.exe
"C:\Users\Admin\AppData\Local\Temp\factura.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Users\Admin\kcnr\spoolsv793976.exe
  "C:\Users\Admin\kcnr\spoolsv793976.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of WriteProcessMemory
  PID:668
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 668 -s 272
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1420

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\kcnr\EVENT.dll

Filesize
64.8MB

MD5
fa18058fef5544df4c9ee1ac641e25c5

SHA1
762a5a5f5395b3ba33ef9ef57393b4a40fe62e5c

SHA256
28639c97118a25ba074168df526c661458cb5698591f07f41c93688eed14b112

SHA512
26debfe5d5a26d1a68cf2cd94de0d000f6e0471b2de58e6963214c05749834e1808818ca68536f9b64c5f4bffcdd2509dcd6f40af72230241ef38cf25c801b7f

Download Submit
C:\Users\Admin\kcnr\spoolsv793976.exe

Filesize
124KB

MD5
1eb266f45c6e163e966424893b18fc60

SHA1
4a71e0e6532f8f7db6698614f771dce6a58e1b3b

SHA256
655b1947cff133a1713623e358a923e0a5935353b93486134fb91c74dbfe120f

SHA512
e784ad64e0f6a1fd5f1a1c1469390f6369960060041d2b21edb2497c16b9d411d142bcf7b0fb94b0274214cd40b8534c63bd559f798267a0d84e8f3720ae8f61

Download Submit
C:\Users\Admin\kcnr\spoolsv793976.exe

Filesize
124KB

MD5
1eb266f45c6e163e966424893b18fc60

SHA1
4a71e0e6532f8f7db6698614f771dce6a58e1b3b

SHA256
655b1947cff133a1713623e358a923e0a5935353b93486134fb91c74dbfe120f

SHA512
e784ad64e0f6a1fd5f1a1c1469390f6369960060041d2b21edb2497c16b9d411d142bcf7b0fb94b0274214cd40b8534c63bd559f798267a0d84e8f3720ae8f61

Download Submit
\Users\Admin\kcnr\EVENT.DLL

Filesize
59.2MB

MD5
5effb83bd68a4f9715352bfbb533fcaf

SHA1
9ff68c1dc59abe277ba1f61c435b6145ae6cc0f6

SHA256
69830d856d883742980a9c3c4cfe7e3c80b47f205b0bf5193b60b15fab18453f

SHA512
0ebf608c08f39b5d6c371fc98e9ffcdd2da27cbd08e3f1372d0807d67034798f372cb7df631a9ae09f9236cc2a653d058f6493f6172ddcbf4210b584e68a4e02

Download Submit
\Users\Admin\kcnr\EVENT.DLL

Filesize
57.8MB

MD5
1498639654d82819706a49de58ce4d51

SHA1
f778473489cfcb745ead37496963d473d788e608

SHA256
9862887485a1c030399f9bb5b62bbddfab7cb3d5d8faedabf1e892c802265259

SHA512
f37d8dfb5f8509bfa3713451456e022a44c5124397842ae844c83355bbef33f2aec5dc65e31f5ce97e5d8bec582c273c2f2053eab027fe15586924e8fe480a89

Download Submit
\Users\Admin\kcnr\EVENT.DLL

Filesize
56.0MB

MD5
ea1e3472b27d93b2cb14d18952c046f0

SHA1
4bcf4b4394c78f0dbe64d594bad7338e5eee6efa

SHA256
42a246b5688113db10c54b2c89bcbb7c45e5a49ca58b7e0db4e0612f847bb227

SHA512
7101d34e400945e3a529ee1880bb79a13be14d3cd0abec9f2fd2a8db83e7a3def7d99ea4a92a4ba9a8b2bac1f104620d740578eb88d823d29a281d088457a685

Download Submit
\Users\Admin\kcnr\spoolsv793976.exe

Filesize
124KB

MD5
1eb266f45c6e163e966424893b18fc60

SHA1
4a71e0e6532f8f7db6698614f771dce6a58e1b3b

SHA256
655b1947cff133a1713623e358a923e0a5935353b93486134fb91c74dbfe120f

SHA512
e784ad64e0f6a1fd5f1a1c1469390f6369960060041d2b21edb2497c16b9d411d142bcf7b0fb94b0274214cd40b8534c63bd559f798267a0d84e8f3720ae8f61

Download Submit
\Users\Admin\kcnr\spoolsv793976.exe

Filesize
124KB

MD5
1eb266f45c6e163e966424893b18fc60

SHA1
4a71e0e6532f8f7db6698614f771dce6a58e1b3b

SHA256
655b1947cff133a1713623e358a923e0a5935353b93486134fb91c74dbfe120f

SHA512
e784ad64e0f6a1fd5f1a1c1469390f6369960060041d2b21edb2497c16b9d411d142bcf7b0fb94b0274214cd40b8534c63bd559f798267a0d84e8f3720ae8f61

Download Submit
\Users\Admin\kcnr\spoolsv793976.exe

Filesize
124KB

MD5
1eb266f45c6e163e966424893b18fc60

SHA1
4a71e0e6532f8f7db6698614f771dce6a58e1b3b

SHA256
655b1947cff133a1713623e358a923e0a5935353b93486134fb91c74dbfe120f

SHA512
e784ad64e0f6a1fd5f1a1c1469390f6369960060041d2b21edb2497c16b9d411d142bcf7b0fb94b0274214cd40b8534c63bd559f798267a0d84e8f3720ae8f61

Download Submit
\Users\Admin\kcnr\spoolsv793976.exe

Filesize
124KB

MD5
1eb266f45c6e163e966424893b18fc60

SHA1
4a71e0e6532f8f7db6698614f771dce6a58e1b3b

SHA256
655b1947cff133a1713623e358a923e0a5935353b93486134fb91c74dbfe120f

SHA512
e784ad64e0f6a1fd5f1a1c1469390f6369960060041d2b21edb2497c16b9d411d142bcf7b0fb94b0274214cd40b8534c63bd559f798267a0d84e8f3720ae8f61

Download Submit
\Users\Admin\kcnr\spoolsv793976.exe

Filesize
124KB

MD5
1eb266f45c6e163e966424893b18fc60

SHA1
4a71e0e6532f8f7db6698614f771dce6a58e1b3b

SHA256
655b1947cff133a1713623e358a923e0a5935353b93486134fb91c74dbfe120f

SHA512
e784ad64e0f6a1fd5f1a1c1469390f6369960060041d2b21edb2497c16b9d411d142bcf7b0fb94b0274214cd40b8534c63bd559f798267a0d84e8f3720ae8f61

Download Submit
\Users\Admin\kcnr\spoolsv793976.exe

Filesize
124KB

MD5
1eb266f45c6e163e966424893b18fc60

SHA1
4a71e0e6532f8f7db6698614f771dce6a58e1b3b

SHA256
655b1947cff133a1713623e358a923e0a5935353b93486134fb91c74dbfe120f

SHA512
e784ad64e0f6a1fd5f1a1c1469390f6369960060041d2b21edb2497c16b9d411d142bcf7b0fb94b0274214cd40b8534c63bd559f798267a0d84e8f3720ae8f61

Download Submit
memory/668-61-0x0000000001070000-0x000000000229D000-memory.dmp

Filesize
18.2MB

Download
memory/668-56-0x0000000000000000-mapping.dmp

Download
memory/1420-64-0x0000000000000000-mapping.dmp

Download
memory/1652-54-0x0000000075781000-0x0000000075783000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads