99371e32494bfb38d63bb427cb5f868bbfb1d342e030d3a04ef3b3651eaf8500

Analysis

max time kernel
91s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2022 23:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1106d5f8e093af4ef06b0297fbd31f64.exe
Size

312KB
MD5

1106d5f8e093af4ef06b0297fbd31f64
SHA1

bda37d2687bfd83b3d0b82372e426482676084a7
SHA256

99371e32494bfb38d63bb427cb5f868bbfb1d342e030d3a04ef3b3651eaf8500
SHA512

941ad648289d42f218bc005f400ca251e69b332316c5e1fd833711f2c65a920a0d217ca38d8984fa0c3d3d4112dd49b9bd329926c9e59f08ef368fa5082a8fd9
SSDEEP

3072:WGJSq+ytGIon9KcdNPMKCrG0OQsq6YZon2JjR1Fu89WrvHxAKiOJGp+7Z:9Ea0RU/rGDHpYa2lrFvCRAnOJdZ

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

wjwmhx.exewjwmhx.exe

pid process

3608 wjwmhx.exe
3036 wjwmhx.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

wjwmhx.exe

description pid process target process

PID 3608 set thread context of 3036 3608 wjwmhx.exe wjwmhx.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

444 3036 WerFault.exe wjwmhx.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

wjwmhx.exe

pid process

3608 wjwmhx.exe
3608 wjwmhx.exe

pid	process
3608	wjwmhx.exe
3036	wjwmhx.exe

description	pid	process	target process
PID 3608 set thread context of 3036	3608	wjwmhx.exe	wjwmhx.exe

pid	pid_target	process	target process
444	3036	WerFault.exe	wjwmhx.exe

pid	process
3608	wjwmhx.exe
3608	wjwmhx.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

1106d5f8e093af4ef06b0297fbd31f64.exewjwmhx.exe

description	pid	process	target process
PID 1064 wrote to memory of 3608	1064	1106d5f8e093af4ef06b0297fbd31f64.exe	wjwmhx.exe
PID 1064 wrote to memory of 3608	1064	1106d5f8e093af4ef06b0297fbd31f64.exe	wjwmhx.exe
PID 1064 wrote to memory of 3608	1064	1106d5f8e093af4ef06b0297fbd31f64.exe	wjwmhx.exe
PID 3608 wrote to memory of 3036	3608	wjwmhx.exe	wjwmhx.exe
PID 3608 wrote to memory of 3036	3608	wjwmhx.exe	wjwmhx.exe
PID 3608 wrote to memory of 3036	3608	wjwmhx.exe	wjwmhx.exe
PID 3608 wrote to memory of 3036	3608	wjwmhx.exe	wjwmhx.exe

C:\Users\Admin\AppData\Local\Temp\1106d5f8e093af4ef06b0297fbd31f64.exe
"C:\Users\Admin\AppData\Local\Temp\1106d5f8e093af4ef06b0297fbd31f64.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Users\Admin\AppData\Local\Temp\wjwmhx.exe
  "C:\Users\Admin\AppData\Local\Temp\wjwmhx.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3608
- - C:\Users\Admin\AppData\Local\Temp\wjwmhx.exe
    "C:\Users\Admin\AppData\Local\Temp\wjwmhx.exe"
    3⤵
    - Executes dropped EXE
    PID:3036
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 520
      4⤵
      Program crash
      PID:444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3036 -ip 3036
1⤵
PID:1528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\afsiiwub.s

Filesize
5KB

MD5
ec80c32bd20d9d75cd33ec16b1acb343

SHA1
8b063a59dcc4071815f5df36e4fc5ef16af4e70b

SHA256
50702fc7e09c1df2b2c785439635be0fd4ecd266da828cb2ec82d4e5d0be4c56

SHA512
5954313a51305c627b0ac15201aace6e807d207b80114b976b9af788dd9d5534f66247f0419de542b9b224f60f539d7a408d041a64c7d371778e03183301f2b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ivabcsgyd.wb

Filesize
113KB

MD5
a50ae6d9c7fec808964289c979383031

SHA1
bfa18d08fc3c6f9418d875a4efb3bdea0100b7ea

SHA256
ea8796daaf3e9cda11f65f5f7f8e53f6e06d1b22e7e134486c236693118122be

SHA512
a6ba4545def16747c953d9c056ec5930ba6a651dd391bede774f91a8523135d3f8e56f3828090f8460c1838db813188dafe6357161b6d643a0a605153e6cf31b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wjwmhx.exe

Filesize
9KB

MD5
4361aaa914385b04ddccc62104521131

SHA1
6c5dfebfd075659312d69ad54c8345b6810c10be

SHA256
7a5ccd5418befc7e1c02cce4ef41955096b9a37d32104f949c1dd832500b45f3

SHA512
77a926af33346e15897bcf0274cd92da838b7db202a9dc3d36209f8b8cb77750e90d5c9b51e1e363305b38b2bb78de5acd8e7502fbb2528833b45af763185740

Download Submit
C:\Users\Admin\AppData\Local\Temp\wjwmhx.exe

Filesize
9KB

MD5
4361aaa914385b04ddccc62104521131

SHA1
6c5dfebfd075659312d69ad54c8345b6810c10be

SHA256
7a5ccd5418befc7e1c02cce4ef41955096b9a37d32104f949c1dd832500b45f3

SHA512
77a926af33346e15897bcf0274cd92da838b7db202a9dc3d36209f8b8cb77750e90d5c9b51e1e363305b38b2bb78de5acd8e7502fbb2528833b45af763185740

Download Submit
C:\Users\Admin\AppData\Local\Temp\wjwmhx.exe

Filesize
9KB

MD5
4361aaa914385b04ddccc62104521131

SHA1
6c5dfebfd075659312d69ad54c8345b6810c10be

SHA256
7a5ccd5418befc7e1c02cce4ef41955096b9a37d32104f949c1dd832500b45f3

SHA512
77a926af33346e15897bcf0274cd92da838b7db202a9dc3d36209f8b8cb77750e90d5c9b51e1e363305b38b2bb78de5acd8e7502fbb2528833b45af763185740

Download Submit
memory/3036-137-0x0000000000000000-mapping.dmp

Download
memory/3608-132-0x0000000000000000-mapping.dmp

Download