Analysis
-
max time kernel
31s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
15-11-2022 20:56
Static task
static1
Behavioral task
behavioral1
Sample
jetsoff887453.exe
Resource
win7-20221111-en
General
-
Target
jetsoff887453.exe
-
Size
226KB
-
MD5
1eea2dfdae7eb894956ca1c1640f68c5
-
SHA1
d84785baefe3f1fce5bbd9cf93c03bb09d8a20e8
-
SHA256
45b23c325946154b6990adf193926f99019ccc14f815a9768c208494197d3208
-
SHA512
64efce3783fd512b03cff3e3c3b93bda7ddf793f199e64809a13c64b948e91deb68dddb1394e5a24353ab42012df88e4a7f0a213b29e9ae3f006bff19755572d
-
SSDEEP
6144:MEa0NOhe6ib7DKeu/cIJyJJnJCDTRn5lAAfh:XONibPeOJnJY9Dh
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
krwcwm.exekrwcwm.exepid process 1268 krwcwm.exe 948 krwcwm.exe -
Loads dropped DLL 5 IoCs
Processes:
jetsoff887453.exekrwcwm.exeWerFault.exepid process 1732 jetsoff887453.exe 1268 krwcwm.exe 904 WerFault.exe 904 WerFault.exe 904 WerFault.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
krwcwm.exedescription pid process target process PID 1268 set thread context of 948 1268 krwcwm.exe krwcwm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 904 948 WerFault.exe krwcwm.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
krwcwm.exepid process 1268 krwcwm.exe 1268 krwcwm.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
jetsoff887453.exekrwcwm.exekrwcwm.exedescription pid process target process PID 1732 wrote to memory of 1268 1732 jetsoff887453.exe krwcwm.exe PID 1732 wrote to memory of 1268 1732 jetsoff887453.exe krwcwm.exe PID 1732 wrote to memory of 1268 1732 jetsoff887453.exe krwcwm.exe PID 1732 wrote to memory of 1268 1732 jetsoff887453.exe krwcwm.exe PID 1268 wrote to memory of 948 1268 krwcwm.exe krwcwm.exe PID 1268 wrote to memory of 948 1268 krwcwm.exe krwcwm.exe PID 1268 wrote to memory of 948 1268 krwcwm.exe krwcwm.exe PID 1268 wrote to memory of 948 1268 krwcwm.exe krwcwm.exe PID 1268 wrote to memory of 948 1268 krwcwm.exe krwcwm.exe PID 948 wrote to memory of 904 948 krwcwm.exe WerFault.exe PID 948 wrote to memory of 904 948 krwcwm.exe WerFault.exe PID 948 wrote to memory of 904 948 krwcwm.exe WerFault.exe PID 948 wrote to memory of 904 948 krwcwm.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\jetsoff887453.exe"C:\Users\Admin\AppData\Local\Temp\jetsoff887453.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\krwcwm.exe"C:\Users\Admin\AppData\Local\Temp\krwcwm.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\krwcwm.exe"C:\Users\Admin\AppData\Local\Temp\krwcwm.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 948 -s 364⤵
- Loads dropped DLL
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\cmxapzchjh.mfgFilesize
185KB
MD5e0393404e1db74cc34660a5a4cdf44b9
SHA188c7398ff382baee47b03705c8fe9cae33b5c66d
SHA256da3381d0f783bf287a0a7e4cf558732b4f3f6b952599463eb91e05a0993b78ad
SHA512bb74b2ccfaf07ca73325b324af0beb344ac2244d2d09f3e4673efc9e7becc5b219ead7870be10332f82061d2e1c5bb793660837b9f8a9aedd1c1d34724377936
-
C:\Users\Admin\AppData\Local\Temp\hwwsjbg.eFilesize
5KB
MD5fd5f4d91c7778d694137a815bbb14292
SHA16b3f4a6b14ccd69b3ff959376106876aaa5141df
SHA256c6633251a0126effcad26a968b952b49d041105192fb212506162d95ec114722
SHA51298d2ad43b1857894103702c8379dd672221d898c660bd4659cc46aaa5a8a3da321c85123464ab0cf626754973bc0b9e5f3a1941f80266bff91fe40aae9fb87d7
-
C:\Users\Admin\AppData\Local\Temp\krwcwm.exeFilesize
13KB
MD589cb047bc134ce369ad1005598404480
SHA1e662924b6095d90662fb01c22fc0546c72630feb
SHA256ee792f2d3d5c85a9474eaf46db3f087594d427e2bd30bdfb0f6ff97d6ee734cd
SHA51203648b80279202d5a6ba83244758e9be7e16b581c2eb0fc43bec886e59570d4db8cdbc942273b02c21184dd37a6b7c04636d459a3a8515b49e707c6530586f23
-
C:\Users\Admin\AppData\Local\Temp\krwcwm.exeFilesize
13KB
MD589cb047bc134ce369ad1005598404480
SHA1e662924b6095d90662fb01c22fc0546c72630feb
SHA256ee792f2d3d5c85a9474eaf46db3f087594d427e2bd30bdfb0f6ff97d6ee734cd
SHA51203648b80279202d5a6ba83244758e9be7e16b581c2eb0fc43bec886e59570d4db8cdbc942273b02c21184dd37a6b7c04636d459a3a8515b49e707c6530586f23
-
C:\Users\Admin\AppData\Local\Temp\krwcwm.exeFilesize
13KB
MD589cb047bc134ce369ad1005598404480
SHA1e662924b6095d90662fb01c22fc0546c72630feb
SHA256ee792f2d3d5c85a9474eaf46db3f087594d427e2bd30bdfb0f6ff97d6ee734cd
SHA51203648b80279202d5a6ba83244758e9be7e16b581c2eb0fc43bec886e59570d4db8cdbc942273b02c21184dd37a6b7c04636d459a3a8515b49e707c6530586f23
-
\Users\Admin\AppData\Local\Temp\krwcwm.exeFilesize
13KB
MD589cb047bc134ce369ad1005598404480
SHA1e662924b6095d90662fb01c22fc0546c72630feb
SHA256ee792f2d3d5c85a9474eaf46db3f087594d427e2bd30bdfb0f6ff97d6ee734cd
SHA51203648b80279202d5a6ba83244758e9be7e16b581c2eb0fc43bec886e59570d4db8cdbc942273b02c21184dd37a6b7c04636d459a3a8515b49e707c6530586f23
-
\Users\Admin\AppData\Local\Temp\krwcwm.exeFilesize
13KB
MD589cb047bc134ce369ad1005598404480
SHA1e662924b6095d90662fb01c22fc0546c72630feb
SHA256ee792f2d3d5c85a9474eaf46db3f087594d427e2bd30bdfb0f6ff97d6ee734cd
SHA51203648b80279202d5a6ba83244758e9be7e16b581c2eb0fc43bec886e59570d4db8cdbc942273b02c21184dd37a6b7c04636d459a3a8515b49e707c6530586f23
-
\Users\Admin\AppData\Local\Temp\krwcwm.exeFilesize
13KB
MD589cb047bc134ce369ad1005598404480
SHA1e662924b6095d90662fb01c22fc0546c72630feb
SHA256ee792f2d3d5c85a9474eaf46db3f087594d427e2bd30bdfb0f6ff97d6ee734cd
SHA51203648b80279202d5a6ba83244758e9be7e16b581c2eb0fc43bec886e59570d4db8cdbc942273b02c21184dd37a6b7c04636d459a3a8515b49e707c6530586f23
-
\Users\Admin\AppData\Local\Temp\krwcwm.exeFilesize
13KB
MD589cb047bc134ce369ad1005598404480
SHA1e662924b6095d90662fb01c22fc0546c72630feb
SHA256ee792f2d3d5c85a9474eaf46db3f087594d427e2bd30bdfb0f6ff97d6ee734cd
SHA51203648b80279202d5a6ba83244758e9be7e16b581c2eb0fc43bec886e59570d4db8cdbc942273b02c21184dd37a6b7c04636d459a3a8515b49e707c6530586f23
-
\Users\Admin\AppData\Local\Temp\krwcwm.exeFilesize
13KB
MD589cb047bc134ce369ad1005598404480
SHA1e662924b6095d90662fb01c22fc0546c72630feb
SHA256ee792f2d3d5c85a9474eaf46db3f087594d427e2bd30bdfb0f6ff97d6ee734cd
SHA51203648b80279202d5a6ba83244758e9be7e16b581c2eb0fc43bec886e59570d4db8cdbc942273b02c21184dd37a6b7c04636d459a3a8515b49e707c6530586f23
-
memory/904-64-0x0000000000000000-mapping.dmp
-
memory/948-62-0x000000000009F120-mapping.dmp
-
memory/1268-56-0x0000000000000000-mapping.dmp
-
memory/1732-54-0x0000000075551000-0x0000000075553000-memory.dmpFilesize
8KB