b97b6e16154d9e6fc147031cd3308333a6ae7345a5bc9d2040e5f5abff5d7e8d

Analysis

max time kernel
95s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/11/2022, 22:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

4.8MB
MD5

780c98ccb0bc0dae2242b4fa624d9871
SHA1

e1df2dc3ad4127c4f1f23e853495e92fd3479991
SHA256

b97b6e16154d9e6fc147031cd3308333a6ae7345a5bc9d2040e5f5abff5d7e8d
SHA512

d8e3dd8643df87b487dd2ffa7a720c66619370023fdb6b7e53a92fc80852888d2d33512efe2f13e585247d64997540804f30fe7b7f6e38772c8839b1d88cac98
SSDEEP

98304:tu9cj4G6PAA35gAXuzWuG0tGA6wgPfAet7OwxB8tEQIiJCEt09oMIQ:tumj4GX0OMuyb0t0pzlH38tEQIeazh

Score

6^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2736 set thread context of 3992	2736	file.exe	91

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
1444	2736	WerFault.exe	78
1868	2736	WerFault.exe	78
228	2736	WerFault.exe	78
3128	2736	WerFault.exe	78

Checks processor information in registry 2 TTPs 48 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	file.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	file.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	file.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	file.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	file.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	file.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3992	rundll32.exe
3992	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3992	rundll32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3992	rundll32.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 3992	2736	file.exe	91
PID 2736 wrote to memory of 3992	2736	file.exe	91
PID 2736 wrote to memory of 3992	2736	file.exe	91
PID 2736 wrote to memory of 3992	2736	file.exe	91

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 824
  2⤵
  - Program crash
  PID:1444
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 884
  2⤵
  - Program crash
  PID:1868
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 888
  2⤵
  - Program crash
  PID:228
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3992
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 876
  2⤵
  - Program crash
  PID:3128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2736 -ip 2736
1⤵
PID:1448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2736 -ip 2736
1⤵
PID:4240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2736 -ip 2736
1⤵
PID:316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2736 -ip 2736
1⤵
PID:4640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Rpiidpytrto.tmp

Filesize
3.5MB

MD5
c597ca48af580cb2755914474a787ddf

SHA1
427cdbd19eadb94f1f89b51a7c3647a3ff7d3925

SHA256
8c67a70fe070595fda6ec977af7da0085d40df299f04cdd5669156752fee3f31

SHA512
c41ab851b712c484184934b2dab7015d329ec485b454b645411f69a97ef4a46351fe892f86522abf19c08cf1b7b6a5212954053b8218046cdfab24ef734e47ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\XZIOFAVD-20220812-1952.log

Filesize
181KB

MD5
6d45d5cf8942fe84ef13f94ba7e9f103

SHA1
ab7e93c91409dfd822e4afac72b423780be91711

SHA256
f407fcd3ce92166e2e3a86ce23f830100747364042f275338650e228af10bd03

SHA512
a9ab9519c8fb6343552b5b9ba6492e7db7595d8a4abff5197944034c5bc940db97f58907b24c9c1cc316e03799dcaca647bc1e2280c7388ddc9a8e9322c491ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI645A.txt

Filesize
426KB

MD5
d6bf37e485af183339e35423cdd4f8e9

SHA1
c7974725701dee5fcfb0e70f73f198d4d0ce3eeb

SHA256
b2d7382b176b11d055ca783cd6ad59db1607ddd99766b2437e1d558b801f8367

SHA512
2ac89bb21d98105e202357a33d555110be2f10f5f44472f1e5ed8c8070b7c541dbc04952c555addff4ac24a77a6ebf467d823e64ede71db1cc3b1d53d8730933

Download Submit
memory/2736-147-0x0000000004620000-0x0000000004760000-memory.dmp

Filesize
1.2MB

Download
memory/2736-146-0x0000000004620000-0x0000000004760000-memory.dmp

Filesize
1.2MB

Download
memory/2736-137-0x0000000002DD0000-0x0000000003425000-memory.dmp

Filesize
6.3MB

Download
memory/2736-138-0x0000000000400000-0x0000000000A61000-memory.dmp

Filesize
6.4MB

Download
memory/2736-139-0x00000000039B0000-0x0000000004519000-memory.dmp

Filesize
11.4MB

Download
memory/2736-140-0x0000000004620000-0x0000000004760000-memory.dmp

Filesize
1.2MB

Download
memory/2736-141-0x0000000004620000-0x0000000004760000-memory.dmp

Filesize
1.2MB

Download
memory/2736-142-0x0000000004620000-0x0000000004760000-memory.dmp

Filesize
1.2MB

Download
memory/2736-143-0x0000000004620000-0x0000000004760000-memory.dmp

Filesize
1.2MB

Download
memory/2736-145-0x0000000004620000-0x0000000004760000-memory.dmp

Filesize
1.2MB

Download
memory/2736-144-0x0000000004620000-0x0000000004760000-memory.dmp

Filesize
1.2MB

Download
memory/2736-132-0x000000000291D000-0x0000000002DC7000-memory.dmp

Filesize
4.7MB

Download
memory/2736-133-0x0000000002DD0000-0x0000000003425000-memory.dmp

Filesize
6.3MB

Download
memory/2736-136-0x00000000039B0000-0x0000000004519000-memory.dmp

Filesize
11.4MB

Download
memory/2736-134-0x0000000000400000-0x0000000000A61000-memory.dmp

Filesize
6.4MB

Download
memory/2736-151-0x00000000039B0000-0x0000000004519000-memory.dmp

Filesize
11.4MB

Download
memory/2736-135-0x00000000039B0000-0x0000000004519000-memory.dmp

Filesize
11.4MB

Download
memory/3992-152-0x0000000003A50000-0x0000000003B90000-memory.dmp

Filesize
1.2MB

Download
memory/3992-153-0x0000000000AA0000-0x00000000014EA000-memory.dmp

Filesize
10.3MB

Download
memory/3992-150-0x0000000003A50000-0x0000000003B90000-memory.dmp

Filesize
1.2MB

Download
memory/3992-149-0x0000000002E20000-0x0000000003989000-memory.dmp

Filesize
11.4MB

Download
memory/3992-157-0x0000000002E20000-0x0000000003989000-memory.dmp

Filesize
11.4MB

Download
memory/3992-159-0x0000000003A50000-0x0000000003B90000-memory.dmp

Filesize
1.2MB

Download
memory/3992-158-0x0000000003A50000-0x0000000003B90000-memory.dmp

Filesize
1.2MB

Download
memory/3992-160-0x0000000002E20000-0x0000000003989000-memory.dmp

Filesize
11.4MB

Download