ab8358ab4f244584994ec7e90d0f131ae31deef29c1587b9abe127fb6fc3f657

Analysis

max time kernel
144s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2022, 09:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ab8358ab4f244584994ec7e90d0f131ae31deef29c1587b9abe127fb6fc3f657.exe
Size

812KB
MD5

56d6b70b27b9825f10b8a9481c116cb1
SHA1

fa841836500c4530c6e64ce7e635a6fbf5da52b6
SHA256

ab8358ab4f244584994ec7e90d0f131ae31deef29c1587b9abe127fb6fc3f657
SHA512

294d6f547e7a84a56b36e78c7afdda3e89a6d87ee81dc3a2d8ce7ba942807e84100dad01410159fdac72139089f1b24f537ca5145ff26d9fb33aef76cb0a8ce7
SSDEEP

12288:n8s23ih0vMJy8BEXFbM9YVNb4jj+9aTQFR370Qz+CenjNIYEZXr4pVgDPEKzlk:nOioT9X2uKHuakFR379XMz9pkPEKBk

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
5024	eeac295a02c7820d5bc5db5cef9c6608.exe
2040	eeac295a02c7820d5bc5db5cef9c6608.tmp

Loads dropped DLL 1 IoCs

pid	Process
1472	ab8358ab4f244584994ec7e90d0f131ae31deef29c1587b9abe127fb6fc3f657.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1448	5024	WerFault.exe	83

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1472 wrote to memory of 5024	1472	ab8358ab4f244584994ec7e90d0f131ae31deef29c1587b9abe127fb6fc3f657.exe	83
PID 1472 wrote to memory of 5024	1472	ab8358ab4f244584994ec7e90d0f131ae31deef29c1587b9abe127fb6fc3f657.exe	83
PID 1472 wrote to memory of 5024	1472	ab8358ab4f244584994ec7e90d0f131ae31deef29c1587b9abe127fb6fc3f657.exe	83

C:\Users\Admin\AppData\Local\Temp\ab8358ab4f244584994ec7e90d0f131ae31deef29c1587b9abe127fb6fc3f657.exe
"C:\Users\Admin\AppData\Local\Temp\ab8358ab4f244584994ec7e90d0f131ae31deef29c1587b9abe127fb6fc3f657.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1472
- C:\Users\Admin\AppData\Local\Temp\eeac295a02c7820d5bc5db5cef9c6608.exe
  C:\Users\Admin\AppData\Local\Temp\eeac295a02c7820d5bc5db5cef9c6608.exe
  2⤵
  - Executes dropped EXE
  PID:5024
- - C:\Users\Admin\AppData\Local\Temp\is-NJSAD.tmp\eeac295a02c7820d5bc5db5cef9c6608.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-NJSAD.tmp\eeac295a02c7820d5bc5db5cef9c6608.tmp" /SL5="$A004C,705874,56832,C:\Users\Admin\AppData\Local\Temp\eeac295a02c7820d5bc5db5cef9c6608.exe"
    3⤵
    - Executes dropped EXE
    PID:2040
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 480
    3⤵
    - Program crash
    PID:1448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 5024 -ip 5024
1⤵
PID:4964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\eeac295a02c7820d5bc5db5cef9c6608.exe

Filesize
791KB

MD5
b6d35cf84031f6d22fbb5fced7cf4765

SHA1
81dd94a7c7abfef562148e0566b2d34741331bbe

SHA256
6fd802d0309818f30a5d1fabe06082ccbd40a02f131d4d12266e84cc8d2778a8

SHA512
5e14bc5f0a71c3b888fd4862eab39963e40564e1e832d3a8841de421cd87c27f8f7daa7c05d88dc8920acc2f4604990aa23693e672618869f434269925e48ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\eeac295a02c7820d5bc5db5cef9c6608.exe

Filesize
791KB

MD5
b6d35cf84031f6d22fbb5fced7cf4765

SHA1
81dd94a7c7abfef562148e0566b2d34741331bbe

SHA256
6fd802d0309818f30a5d1fabe06082ccbd40a02f131d4d12266e84cc8d2778a8

SHA512
5e14bc5f0a71c3b888fd4862eab39963e40564e1e832d3a8841de421cd87c27f8f7daa7c05d88dc8920acc2f4604990aa23693e672618869f434269925e48ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NJSAD.tmp\eeac295a02c7820d5bc5db5cef9c6608.tmp

Filesize
44KB

MD5
4c275cff83d25bd055efc3833755fe28

SHA1
6625ab013964c32d6adcfeda1c70723e31d400e0

SHA256
a851065a80f432180a510a37557220ff4054a47e8a5348e2796803c2ec9bef40

SHA512
1d892b4087b28d79814eaae797899d0341e1d538ac87dcc4569488ec03daf3d8b09132a6afdb5547844f06dc9d28b8aee645d70bf341511e6de551620d18ed66

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrA6F4.tmp\nxs.dll

Filesize
6KB

MD5
8ca09b6200ffa05b54c6672d855beb4a

SHA1
daa16fe49c8b2250e9d2383b861cda51f876de49

SHA256
033e93ad470241c92762924ccfceafb849a525e263e5d4a3dbcfc2e07a8803c3

SHA512
6ab97181ec45430888d8ad3fd411de22423e1c057833e282af085a975198338c95f7ba10b7c69f33298afc88ddd38d01ab010998fd4a8ba8abb8561796bf9f14

Download Submit
memory/5024-136-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5024-139-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download