5bcc20fdf7090ca1f2ca66ab752d0965478666dc2952c435a3a4490423dac47f

Analysis

max time kernel
31s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
15-11-2022 20:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

jetsoff887453.exe
Size

226KB
MD5

1eea2dfdae7eb894956ca1c1640f68c5
SHA1

d84785baefe3f1fce5bbd9cf93c03bb09d8a20e8
SHA256

45b23c325946154b6990adf193926f99019ccc14f815a9768c208494197d3208
SHA512

64efce3783fd512b03cff3e3c3b93bda7ddf793f199e64809a13c64b948e91deb68dddb1394e5a24353ab42012df88e4a7f0a213b29e9ae3f006bff19755572d
SSDEEP

6144:MEa0NOhe6ib7DKeu/cIJyJJnJCDTRn5lAAfh:XONibPeOJnJY9Dh

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

krwcwm.exekrwcwm.exe

pid process

1268 krwcwm.exe
948 krwcwm.exe
Loads dropped DLL 5 IoCs

Processes:

jetsoff887453.exekrwcwm.exeWerFault.exe

pid process

1732 jetsoff887453.exe
1268 krwcwm.exe
904 WerFault.exe
904 WerFault.exe
904 WerFault.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

krwcwm.exe

description pid process target process

PID 1268 set thread context of 948 1268 krwcwm.exe krwcwm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

904 948 WerFault.exe krwcwm.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

krwcwm.exe

pid process

1268 krwcwm.exe
1268 krwcwm.exe

pid	process
1268	krwcwm.exe
948	krwcwm.exe

pid	process
1732	jetsoff887453.exe
1268	krwcwm.exe
904	WerFault.exe
904	WerFault.exe
904	WerFault.exe

description	pid	process	target process
PID 1268 set thread context of 948	1268	krwcwm.exe	krwcwm.exe

pid	pid_target	process	target process
904	948	WerFault.exe	krwcwm.exe

pid	process
1268	krwcwm.exe
1268	krwcwm.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

jetsoff887453.exekrwcwm.exekrwcwm.exe

description	pid	process	target process
PID 1732 wrote to memory of 1268	1732	jetsoff887453.exe	krwcwm.exe
PID 1732 wrote to memory of 1268	1732	jetsoff887453.exe	krwcwm.exe
PID 1732 wrote to memory of 1268	1732	jetsoff887453.exe	krwcwm.exe
PID 1732 wrote to memory of 1268	1732	jetsoff887453.exe	krwcwm.exe
PID 1268 wrote to memory of 948	1268	krwcwm.exe	krwcwm.exe
PID 1268 wrote to memory of 948	1268	krwcwm.exe	krwcwm.exe
PID 1268 wrote to memory of 948	1268	krwcwm.exe	krwcwm.exe
PID 1268 wrote to memory of 948	1268	krwcwm.exe	krwcwm.exe
PID 1268 wrote to memory of 948	1268	krwcwm.exe	krwcwm.exe
PID 948 wrote to memory of 904	948	krwcwm.exe	WerFault.exe
PID 948 wrote to memory of 904	948	krwcwm.exe	WerFault.exe
PID 948 wrote to memory of 904	948	krwcwm.exe	WerFault.exe
PID 948 wrote to memory of 904	948	krwcwm.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\jetsoff887453.exe
"C:\Users\Admin\AppData\Local\Temp\jetsoff887453.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1732

C:\Users\Admin\AppData\Local\Temp\krwcwm.exe
"C:\Users\Admin\AppData\Local\Temp\krwcwm.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1268

C:\Users\Admin\AppData\Local\Temp\krwcwm.exe
"C:\Users\Admin\AppData\Local\Temp\krwcwm.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 948 -s 36
4⤵
- Loads dropped DLL
- Program crash
PID:904

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cmxapzchjh.mfg
Filesize
185KB

MD5
e0393404e1db74cc34660a5a4cdf44b9

SHA1
88c7398ff382baee47b03705c8fe9cae33b5c66d

SHA256
da3381d0f783bf287a0a7e4cf558732b4f3f6b952599463eb91e05a0993b78ad

SHA512
bb74b2ccfaf07ca73325b324af0beb344ac2244d2d09f3e4673efc9e7becc5b219ead7870be10332f82061d2e1c5bb793660837b9f8a9aedd1c1d34724377936

Download Submit
C:\Users\Admin\AppData\Local\Temp\hwwsjbg.e
Filesize
5KB

MD5
fd5f4d91c7778d694137a815bbb14292

SHA1
6b3f4a6b14ccd69b3ff959376106876aaa5141df

SHA256
c6633251a0126effcad26a968b952b49d041105192fb212506162d95ec114722

SHA512
98d2ad43b1857894103702c8379dd672221d898c660bd4659cc46aaa5a8a3da321c85123464ab0cf626754973bc0b9e5f3a1941f80266bff91fe40aae9fb87d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\krwcwm.exe
Filesize
13KB

MD5
89cb047bc134ce369ad1005598404480

SHA1
e662924b6095d90662fb01c22fc0546c72630feb

SHA256
ee792f2d3d5c85a9474eaf46db3f087594d427e2bd30bdfb0f6ff97d6ee734cd

SHA512
03648b80279202d5a6ba83244758e9be7e16b581c2eb0fc43bec886e59570d4db8cdbc942273b02c21184dd37a6b7c04636d459a3a8515b49e707c6530586f23

Download Submit
C:\Users\Admin\AppData\Local\Temp\krwcwm.exe
Filesize
13KB

MD5
89cb047bc134ce369ad1005598404480

SHA1
e662924b6095d90662fb01c22fc0546c72630feb

SHA256
ee792f2d3d5c85a9474eaf46db3f087594d427e2bd30bdfb0f6ff97d6ee734cd

SHA512
03648b80279202d5a6ba83244758e9be7e16b581c2eb0fc43bec886e59570d4db8cdbc942273b02c21184dd37a6b7c04636d459a3a8515b49e707c6530586f23

Download Submit
C:\Users\Admin\AppData\Local\Temp\krwcwm.exe
Filesize
13KB

MD5
89cb047bc134ce369ad1005598404480

SHA1
e662924b6095d90662fb01c22fc0546c72630feb

SHA256
ee792f2d3d5c85a9474eaf46db3f087594d427e2bd30bdfb0f6ff97d6ee734cd

SHA512
03648b80279202d5a6ba83244758e9be7e16b581c2eb0fc43bec886e59570d4db8cdbc942273b02c21184dd37a6b7c04636d459a3a8515b49e707c6530586f23

Download Submit
\Users\Admin\AppData\Local\Temp\krwcwm.exe
Filesize
13KB

MD5
89cb047bc134ce369ad1005598404480

SHA1
e662924b6095d90662fb01c22fc0546c72630feb

SHA256
ee792f2d3d5c85a9474eaf46db3f087594d427e2bd30bdfb0f6ff97d6ee734cd

SHA512
03648b80279202d5a6ba83244758e9be7e16b581c2eb0fc43bec886e59570d4db8cdbc942273b02c21184dd37a6b7c04636d459a3a8515b49e707c6530586f23

Download Submit
\Users\Admin\AppData\Local\Temp\krwcwm.exe
Filesize
13KB

MD5
89cb047bc134ce369ad1005598404480

SHA1
e662924b6095d90662fb01c22fc0546c72630feb

SHA256
ee792f2d3d5c85a9474eaf46db3f087594d427e2bd30bdfb0f6ff97d6ee734cd

SHA512
03648b80279202d5a6ba83244758e9be7e16b581c2eb0fc43bec886e59570d4db8cdbc942273b02c21184dd37a6b7c04636d459a3a8515b49e707c6530586f23

Download Submit
\Users\Admin\AppData\Local\Temp\krwcwm.exe
Filesize
13KB

MD5
89cb047bc134ce369ad1005598404480

SHA1
e662924b6095d90662fb01c22fc0546c72630feb

SHA256
ee792f2d3d5c85a9474eaf46db3f087594d427e2bd30bdfb0f6ff97d6ee734cd

SHA512
03648b80279202d5a6ba83244758e9be7e16b581c2eb0fc43bec886e59570d4db8cdbc942273b02c21184dd37a6b7c04636d459a3a8515b49e707c6530586f23

Download Submit
\Users\Admin\AppData\Local\Temp\krwcwm.exe
Filesize
13KB

MD5
89cb047bc134ce369ad1005598404480

SHA1
e662924b6095d90662fb01c22fc0546c72630feb

SHA256
ee792f2d3d5c85a9474eaf46db3f087594d427e2bd30bdfb0f6ff97d6ee734cd

SHA512
03648b80279202d5a6ba83244758e9be7e16b581c2eb0fc43bec886e59570d4db8cdbc942273b02c21184dd37a6b7c04636d459a3a8515b49e707c6530586f23

Download Submit
\Users\Admin\AppData\Local\Temp\krwcwm.exe
Filesize
13KB

MD5
89cb047bc134ce369ad1005598404480

SHA1
e662924b6095d90662fb01c22fc0546c72630feb

SHA256
ee792f2d3d5c85a9474eaf46db3f087594d427e2bd30bdfb0f6ff97d6ee734cd

SHA512
03648b80279202d5a6ba83244758e9be7e16b581c2eb0fc43bec886e59570d4db8cdbc942273b02c21184dd37a6b7c04636d459a3a8515b49e707c6530586f23

Download Submit
memory/904-64-0x0000000000000000-mapping.dmp

Download
memory/948-62-0x000000000009F120-mapping.dmp

Download
memory/1268-56-0x0000000000000000-mapping.dmp

Download
memory/1732-54-0x0000000075551000-0x0000000075553000-memory.dmp

Filesize
8KB

Download