72903788ca82bf6ef459c9dc518bc1af0227dfa78f3800c982c7e00ced7ff6a7

Analysis

max time kernel
28s
max time network
30s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
17-11-2022 12:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

oofjets44321.exe
Size

225KB
MD5

99b61d1223377eb0a459e3d44738ed83
SHA1

9991fe427d8b8fd0e6475f1c4381efa2914ce5eb
SHA256

72903788ca82bf6ef459c9dc518bc1af0227dfa78f3800c982c7e00ced7ff6a7
SHA512

75cd2a94fd9b3c859325e0502bc2ff441bac87f4cbfd0ad7f2ccf98034b3cf32ec876495f07c07e3d41127af008a20f06da56bbc792f5f93836de76102b00504
SSDEEP

6144:MEa0NKeSRW2GwVuvqsZ1dyLvqU1Bpxdzc3c51xI5Rv4eT/d3bh:X2MwY7DdKyU1JPILweT/9bh

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

lsncl.exelsncl.exe

pid process

276 lsncl.exe
1072 lsncl.exe
Loads dropped DLL 5 IoCs

Processes:

oofjets44321.exelsncl.exeWerFault.exe

pid process

1732 oofjets44321.exe
276 lsncl.exe
1308 WerFault.exe
1308 WerFault.exe
1308 WerFault.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

lsncl.exe

description pid process target process

PID 276 set thread context of 1072 276 lsncl.exe lsncl.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1308 1072 WerFault.exe lsncl.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

lsncl.exe

pid process

276 lsncl.exe
276 lsncl.exe

pid	process
276	lsncl.exe
1072	lsncl.exe

pid	process
1732	oofjets44321.exe
276	lsncl.exe
1308	WerFault.exe
1308	WerFault.exe
1308	WerFault.exe

description	pid	process	target process
PID 276 set thread context of 1072	276	lsncl.exe	lsncl.exe

pid	pid_target	process	target process
1308	1072	WerFault.exe	lsncl.exe

pid	process
276	lsncl.exe
276	lsncl.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

oofjets44321.exelsncl.exelsncl.exe

description	pid	process	target process
PID 1732 wrote to memory of 276	1732	oofjets44321.exe	lsncl.exe
PID 1732 wrote to memory of 276	1732	oofjets44321.exe	lsncl.exe
PID 1732 wrote to memory of 276	1732	oofjets44321.exe	lsncl.exe
PID 1732 wrote to memory of 276	1732	oofjets44321.exe	lsncl.exe
PID 276 wrote to memory of 1072	276	lsncl.exe	lsncl.exe
PID 276 wrote to memory of 1072	276	lsncl.exe	lsncl.exe
PID 276 wrote to memory of 1072	276	lsncl.exe	lsncl.exe
PID 276 wrote to memory of 1072	276	lsncl.exe	lsncl.exe
PID 276 wrote to memory of 1072	276	lsncl.exe	lsncl.exe
PID 1072 wrote to memory of 1308	1072	lsncl.exe	WerFault.exe
PID 1072 wrote to memory of 1308	1072	lsncl.exe	WerFault.exe
PID 1072 wrote to memory of 1308	1072	lsncl.exe	WerFault.exe
PID 1072 wrote to memory of 1308	1072	lsncl.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\oofjets44321.exe
"C:\Users\Admin\AppData\Local\Temp\oofjets44321.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1732

C:\Users\Admin\AppData\Local\Temp\lsncl.exe
"C:\Users\Admin\AppData\Local\Temp\lsncl.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:276

C:\Users\Admin\AppData\Local\Temp\lsncl.exe
"C:\Users\Admin\AppData\Local\Temp\lsncl.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 36
4⤵
- Loads dropped DLL
- Program crash
PID:1308

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\akpbo.ka
Filesize
5KB

MD5
390d433d07acc1094fbeebf76b16fabe

SHA1
4c42359447505b626ec0547790f4bce21a870c02

SHA256
ee5d0ee5b1ee2f43dd4a1d81bcb65accd9d2cbfa245177c67824b8d7a082c5ac

SHA512
aadf015511bea083c69bb4bea3189ffcff20c26ec812376a115c0efdcc0d891e6c20d1586e5ef3c95ebe472c13779cb421c6691d55384ba3e7dc2582b804ff79

Download Submit
C:\Users\Admin\AppData\Local\Temp\lsncl.exe
Filesize
10KB

MD5
fe6f55c67726aefb1996c012314a684e

SHA1
e3118a6539651e16c4464bddfae9d090876be7a2

SHA256
3acb3f1817a8ad85cd59adc236e62bfc40f806a1f23a2b22e1ffb389bdacfbc0

SHA512
6aaf5b5711ee69c7c4bcfd0f4ea03c08c9fc35bccbee5a74cf38c04ee84802432cf1bf5b5210ceec4c9546c113f917ff1b610a44143205adf1c471711dacb36a

Download Submit
C:\Users\Admin\AppData\Local\Temp\lsncl.exe
Filesize
10KB

MD5
fe6f55c67726aefb1996c012314a684e

SHA1
e3118a6539651e16c4464bddfae9d090876be7a2

SHA256
3acb3f1817a8ad85cd59adc236e62bfc40f806a1f23a2b22e1ffb389bdacfbc0

SHA512
6aaf5b5711ee69c7c4bcfd0f4ea03c08c9fc35bccbee5a74cf38c04ee84802432cf1bf5b5210ceec4c9546c113f917ff1b610a44143205adf1c471711dacb36a

Download Submit
C:\Users\Admin\AppData\Local\Temp\lsncl.exe
Filesize
10KB

MD5
fe6f55c67726aefb1996c012314a684e

SHA1
e3118a6539651e16c4464bddfae9d090876be7a2

SHA256
3acb3f1817a8ad85cd59adc236e62bfc40f806a1f23a2b22e1ffb389bdacfbc0

SHA512
6aaf5b5711ee69c7c4bcfd0f4ea03c08c9fc35bccbee5a74cf38c04ee84802432cf1bf5b5210ceec4c9546c113f917ff1b610a44143205adf1c471711dacb36a

Download Submit
C:\Users\Admin\AppData\Local\Temp\maelloflsq.oxq
Filesize
185KB

MD5
4e1d4df2d71cdb5df8fc1c0ad6bee489

SHA1
ca0c4674a8733c08b900d3bb8740aa0243097fe1

SHA256
c6a4424d5595be2badf65dee2472a70caeb07bbb41c767cfa2683502e66a9f16

SHA512
a8e621de16cafe2045aa35758970b01e038af44f2ec19100ae8f126e7ee281b6b2341e26d0ded09327659bab6ed6ac2567ad5a2f9e6db7be3775dd46f1f7f960

Download Submit
\Users\Admin\AppData\Local\Temp\lsncl.exe
Filesize
10KB

MD5
fe6f55c67726aefb1996c012314a684e

SHA1
e3118a6539651e16c4464bddfae9d090876be7a2

SHA256
3acb3f1817a8ad85cd59adc236e62bfc40f806a1f23a2b22e1ffb389bdacfbc0

SHA512
6aaf5b5711ee69c7c4bcfd0f4ea03c08c9fc35bccbee5a74cf38c04ee84802432cf1bf5b5210ceec4c9546c113f917ff1b610a44143205adf1c471711dacb36a

Download Submit
\Users\Admin\AppData\Local\Temp\lsncl.exe
Filesize
10KB

MD5
fe6f55c67726aefb1996c012314a684e

SHA1
e3118a6539651e16c4464bddfae9d090876be7a2

SHA256
3acb3f1817a8ad85cd59adc236e62bfc40f806a1f23a2b22e1ffb389bdacfbc0

SHA512
6aaf5b5711ee69c7c4bcfd0f4ea03c08c9fc35bccbee5a74cf38c04ee84802432cf1bf5b5210ceec4c9546c113f917ff1b610a44143205adf1c471711dacb36a

Download Submit
\Users\Admin\AppData\Local\Temp\lsncl.exe
Filesize
10KB

MD5
fe6f55c67726aefb1996c012314a684e

SHA1
e3118a6539651e16c4464bddfae9d090876be7a2

SHA256
3acb3f1817a8ad85cd59adc236e62bfc40f806a1f23a2b22e1ffb389bdacfbc0

SHA512
6aaf5b5711ee69c7c4bcfd0f4ea03c08c9fc35bccbee5a74cf38c04ee84802432cf1bf5b5210ceec4c9546c113f917ff1b610a44143205adf1c471711dacb36a

Download Submit
\Users\Admin\AppData\Local\Temp\lsncl.exe
Filesize
10KB

MD5
fe6f55c67726aefb1996c012314a684e

SHA1
e3118a6539651e16c4464bddfae9d090876be7a2

SHA256
3acb3f1817a8ad85cd59adc236e62bfc40f806a1f23a2b22e1ffb389bdacfbc0

SHA512
6aaf5b5711ee69c7c4bcfd0f4ea03c08c9fc35bccbee5a74cf38c04ee84802432cf1bf5b5210ceec4c9546c113f917ff1b610a44143205adf1c471711dacb36a

Download Submit
\Users\Admin\AppData\Local\Temp\lsncl.exe
Filesize
10KB

MD5
fe6f55c67726aefb1996c012314a684e

SHA1
e3118a6539651e16c4464bddfae9d090876be7a2

SHA256
3acb3f1817a8ad85cd59adc236e62bfc40f806a1f23a2b22e1ffb389bdacfbc0

SHA512
6aaf5b5711ee69c7c4bcfd0f4ea03c08c9fc35bccbee5a74cf38c04ee84802432cf1bf5b5210ceec4c9546c113f917ff1b610a44143205adf1c471711dacb36a

Download Submit
memory/276-56-0x0000000000000000-mapping.dmp

Download
memory/1072-63-0x000000000009F120-mapping.dmp

Download
memory/1308-65-0x0000000000000000-mapping.dmp

Download
memory/1732-54-0x0000000074D71000-0x0000000074D73000-memory.dmp

Filesize
8KB

Download