58f91bbad5f643691f54434b42213c8a05cfbde5772d62bc38d5da13124ede9e

Analysis

max time kernel
36s
max time network
48s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 06:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

1.3MB
MD5

2248acb14f2a8ade2512a0ddb417e7ce
SHA1

7e082916c5909f2a2da10f493ce00ab1355d5df0
SHA256

58f91bbad5f643691f54434b42213c8a05cfbde5772d62bc38d5da13124ede9e
SHA512

5da704ecaf7fb968e8dd667937cceae70d5a29e99ce3d80b6a971aa79f4e9d9e51b73d9e0336533932560442a7b85d7aba67b4808d6971f61bf68381e8a18ec2
SSDEEP

24576:YwxwYTHwpeliJe4F6YYENDvgd+XYzoKqpBSi:YweYTQpelik4FrXN7XDVI

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

OWT.exe

pid process

796 OWT.exe
Loads dropped DLL 6 IoCs

Processes:

cmd.exeWerFault.exe

pid process

768 cmd.exe
1396 WerFault.exe
1396 WerFault.exe
1396 WerFault.exe
1396 WerFault.exe
1396 WerFault.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1396 796 WerFault.exe OWT.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1512 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1520 timeout.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

1476 powershell.exe
1992 powershell.exe

pid	process
796	OWT.exe

pid	process
768	cmd.exe
1396	WerFault.exe
1396	WerFault.exe
1396	WerFault.exe
1396	WerFault.exe
1396	WerFault.exe

pid	pid_target	process	target process
1396	796	WerFault.exe	OWT.exe

pid	process
1512	schtasks.exe

pid	process
1520	timeout.exe

pid	process
1476	powershell.exe
1992	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

file.exepowershell.exeOWT.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1376	file.exe
Token: SeDebugPrivilege	1476	powershell.exe
Token: SeDebugPrivilege	796	OWT.exe
Token: SeDebugPrivilege	1992	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

file.execmd.exeOWT.execmd.exe

description	pid	process	target process
PID 1376 wrote to memory of 1476	1376	file.exe	powershell.exe
PID 1376 wrote to memory of 1476	1376	file.exe	powershell.exe
PID 1376 wrote to memory of 1476	1376	file.exe	powershell.exe
PID 1376 wrote to memory of 768	1376	file.exe	cmd.exe
PID 1376 wrote to memory of 768	1376	file.exe	cmd.exe
PID 1376 wrote to memory of 768	1376	file.exe	cmd.exe
PID 768 wrote to memory of 1520	768	cmd.exe	timeout.exe
PID 768 wrote to memory of 1520	768	cmd.exe	timeout.exe
PID 768 wrote to memory of 1520	768	cmd.exe	timeout.exe
PID 768 wrote to memory of 796	768	cmd.exe	OWT.exe
PID 768 wrote to memory of 796	768	cmd.exe	OWT.exe
PID 768 wrote to memory of 796	768	cmd.exe	OWT.exe
PID 796 wrote to memory of 1992	796	OWT.exe	powershell.exe
PID 796 wrote to memory of 1992	796	OWT.exe	powershell.exe
PID 796 wrote to memory of 1992	796	OWT.exe	powershell.exe
PID 796 wrote to memory of 1008	796	OWT.exe	cmd.exe
PID 796 wrote to memory of 1008	796	OWT.exe	cmd.exe
PID 796 wrote to memory of 1008	796	OWT.exe	cmd.exe
PID 1008 wrote to memory of 1512	1008	cmd.exe	schtasks.exe
PID 1008 wrote to memory of 1512	1008	cmd.exe	schtasks.exe
PID 1008 wrote to memory of 1512	1008	cmd.exe	schtasks.exe
PID 796 wrote to memory of 1396	796	OWT.exe	WerFault.exe
PID 796 wrote to memory of 1396	796	OWT.exe	WerFault.exe
PID 796 wrote to memory of 1396	796	OWT.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1476

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp7531.tmp.bat""
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:768

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:1520

C:\ProgramData\winrar\OWT.exe
"C:\ProgramData\winrar\OWT.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:796

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "OWT" /tr "C:\ProgramData\winrar\OWT.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1008

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "OWT" /tr "C:\ProgramData\winrar\OWT.exe"
5⤵
- Creates scheduled task(s)
PID:1512

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 796 -s 1520
4⤵
- Loads dropped DLL
- Program crash
PID:1396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\winrar\OWT.exe

Filesize
1.3MB

MD5
2248acb14f2a8ade2512a0ddb417e7ce

SHA1
7e082916c5909f2a2da10f493ce00ab1355d5df0

SHA256
58f91bbad5f643691f54434b42213c8a05cfbde5772d62bc38d5da13124ede9e

SHA512
5da704ecaf7fb968e8dd667937cceae70d5a29e99ce3d80b6a971aa79f4e9d9e51b73d9e0336533932560442a7b85d7aba67b4808d6971f61bf68381e8a18ec2

Download Submit
C:\ProgramData\winrar\OWT.exe

Filesize
1.3MB

MD5
2248acb14f2a8ade2512a0ddb417e7ce

SHA1
7e082916c5909f2a2da10f493ce00ab1355d5df0

SHA256
58f91bbad5f643691f54434b42213c8a05cfbde5772d62bc38d5da13124ede9e

SHA512
5da704ecaf7fb968e8dd667937cceae70d5a29e99ce3d80b6a971aa79f4e9d9e51b73d9e0336533932560442a7b85d7aba67b4808d6971f61bf68381e8a18ec2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7531.tmp.bat

Filesize
138B

MD5
a62a6b415f598ea03537c8bf01fdd4fd

SHA1
0bc2e90b0e31a1ebbb869a1abe84445db45e89cf

SHA256
a2b959282b995fc665b86455f1040b6a012b0e413d5feaaee2497e9fa3fecfd6

SHA512
02c9c7859aac7a17119e44999878b571c539df933d8f06cb20e32e2238fd6ca992cb6be2fea766f048a9ec2b963fde4a8335976f81f231f8e28fc6ea5d6e4f0c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
561c489089469138a57ae2fef98400ce

SHA1
ca8bd33df19773bb3780477a2495cf431c9a5cb1

SHA256
ff3af0037b488eb937c777cec26dea5a7ae376ba98f13c933ea2a6bbf084425c

SHA512
21d3da42dd486f8bae0bd6aad624294b777234a56f9a4995f40e6742c769ec4369219824b94e257283c28c90ecf7bec931853b97d15a54704a4bfa13c131e922

Download Submit
\ProgramData\winrar\OWT.exe

Filesize
1.3MB

MD5
2248acb14f2a8ade2512a0ddb417e7ce

SHA1
7e082916c5909f2a2da10f493ce00ab1355d5df0

SHA256
58f91bbad5f643691f54434b42213c8a05cfbde5772d62bc38d5da13124ede9e

SHA512
5da704ecaf7fb968e8dd667937cceae70d5a29e99ce3d80b6a971aa79f4e9d9e51b73d9e0336533932560442a7b85d7aba67b4808d6971f61bf68381e8a18ec2

Download Submit
\ProgramData\winrar\OWT.exe

Filesize
1.3MB

MD5
2248acb14f2a8ade2512a0ddb417e7ce

SHA1
7e082916c5909f2a2da10f493ce00ab1355d5df0

SHA256
58f91bbad5f643691f54434b42213c8a05cfbde5772d62bc38d5da13124ede9e

SHA512
5da704ecaf7fb968e8dd667937cceae70d5a29e99ce3d80b6a971aa79f4e9d9e51b73d9e0336533932560442a7b85d7aba67b4808d6971f61bf68381e8a18ec2

Download Submit
\ProgramData\winrar\OWT.exe

Filesize
1.3MB

MD5
2248acb14f2a8ade2512a0ddb417e7ce

SHA1
7e082916c5909f2a2da10f493ce00ab1355d5df0

SHA256
58f91bbad5f643691f54434b42213c8a05cfbde5772d62bc38d5da13124ede9e

SHA512
5da704ecaf7fb968e8dd667937cceae70d5a29e99ce3d80b6a971aa79f4e9d9e51b73d9e0336533932560442a7b85d7aba67b4808d6971f61bf68381e8a18ec2

Download Submit
\ProgramData\winrar\OWT.exe

Filesize
1.3MB

MD5
2248acb14f2a8ade2512a0ddb417e7ce

SHA1
7e082916c5909f2a2da10f493ce00ab1355d5df0

SHA256
58f91bbad5f643691f54434b42213c8a05cfbde5772d62bc38d5da13124ede9e

SHA512
5da704ecaf7fb968e8dd667937cceae70d5a29e99ce3d80b6a971aa79f4e9d9e51b73d9e0336533932560442a7b85d7aba67b4808d6971f61bf68381e8a18ec2

Download Submit
\ProgramData\winrar\OWT.exe

Filesize
1.3MB

MD5
2248acb14f2a8ade2512a0ddb417e7ce

SHA1
7e082916c5909f2a2da10f493ce00ab1355d5df0

SHA256
58f91bbad5f643691f54434b42213c8a05cfbde5772d62bc38d5da13124ede9e

SHA512
5da704ecaf7fb968e8dd667937cceae70d5a29e99ce3d80b6a971aa79f4e9d9e51b73d9e0336533932560442a7b85d7aba67b4808d6971f61bf68381e8a18ec2

Download Submit
\ProgramData\winrar\OWT.exe

Filesize
1.3MB

MD5
2248acb14f2a8ade2512a0ddb417e7ce

SHA1
7e082916c5909f2a2da10f493ce00ab1355d5df0

SHA256
58f91bbad5f643691f54434b42213c8a05cfbde5772d62bc38d5da13124ede9e

SHA512
5da704ecaf7fb968e8dd667937cceae70d5a29e99ce3d80b6a971aa79f4e9d9e51b73d9e0336533932560442a7b85d7aba67b4808d6971f61bf68381e8a18ec2

Download Submit
memory/768-75-0x0000000000000000-mapping.dmp

Download
memory/796-98-0x000007FEFD140000-0x000007FEFD1AC000-memory.dmp

Filesize
432KB

Download
memory/796-126-0x000007FEFC8F0000-0x000007FEFC912000-memory.dmp

Filesize
136KB

Download
memory/796-145-0x00000000013D0000-0x000000000158A000-memory.dmp

Filesize
1.7MB

Download
memory/796-144-0x0000000000B80000-0x0000000000BC2000-memory.dmp

Filesize
264KB

Download
memory/796-137-0x000007FEF5A80000-0x000007FEF5BB8000-memory.dmp

Filesize
1.2MB

Download
memory/796-136-0x000007FEFC5C0000-0x000007FEFC61B000-memory.dmp

Filesize
364KB

Download
memory/796-135-0x000007FEFD200000-0x000007FEFD236000-memory.dmp

Filesize
216KB

Download
memory/796-134-0x000007FEFABE0000-0x000007FEFAC07000-memory.dmp

Filesize
156KB

Download
memory/796-133-0x000007FEFCD70000-0x000007FEFCD95000-memory.dmp

Filesize
148KB

Download
memory/796-132-0x000007FEF9B50000-0x000007FEF9BC1000-memory.dmp

Filesize
452KB

Download
memory/796-131-0x000007FEF9AE0000-0x000007FEF9B44000-memory.dmp

Filesize
400KB

Download
memory/796-130-0x000007FEFEAF0000-0x000007FEFEB3D000-memory.dmp

Filesize
308KB

Download
memory/796-129-0x000007FEF0ED0000-0x000007FEF0F32000-memory.dmp

Filesize
392KB

Download
memory/796-128-0x000007FEFA730000-0x000007FEFA74C000-memory.dmp

Filesize
112KB

Download
memory/796-127-0x000007FEFC7A0000-0x000007FEFC7B7000-memory.dmp

Filesize
92KB

Download
memory/796-125-0x000007FEFF250000-0x000007FEFF26F000-memory.dmp

Filesize
124KB

Download
memory/796-122-0x000007FEFF170000-0x000007FEFF247000-memory.dmp

Filesize
860KB

Download
memory/796-117-0x000007FEFB2A0000-0x000007FEFB4B5000-memory.dmp

Filesize
2.1MB

Download
memory/796-109-0x00000000013D0000-0x000000000158A000-memory.dmp

Filesize
1.7MB

Download
memory/796-110-0x000007FEF63B0000-0x000007FEF64DC000-memory.dmp

Filesize
1.2MB

Download
memory/796-108-0x00000000013D0000-0x000000000158A000-memory.dmp

Filesize
1.7MB

Download
memory/796-107-0x000007FEFB6A0000-0x000007FEFB6F6000-memory.dmp

Filesize
344KB

Download
memory/796-105-0x000007FEFD340000-0x000007FEFD46D000-memory.dmp

Filesize
1.2MB

Download
memory/796-106-0x000007FEFEEA0000-0x000007FEFF0A3000-memory.dmp

Filesize
2.0MB

Download
memory/796-88-0x0000000000000000-mapping.dmp

Download
memory/796-92-0x000007FEF6880000-0x000007FEF68EF000-memory.dmp

Filesize
444KB

Download
memory/796-93-0x000007FEF6D00000-0x000007FEF6D9C000-memory.dmp

Filesize
624KB

Download
memory/796-94-0x000007FEFF3D0000-0x000007FEFF437000-memory.dmp

Filesize
412KB

Download
memory/796-96-0x000007FEFF0D0000-0x000007FEFF16F000-memory.dmp

Filesize
636KB

Download
memory/796-95-0x0000000077060000-0x000000007715A000-memory.dmp

Filesize
1000KB

Download
memory/796-97-0x0000000076F40000-0x000000007705F000-memory.dmp

Filesize
1.1MB

Download
memory/796-103-0x0000000000B80000-0x0000000000BC2000-memory.dmp

Filesize
264KB

Download
memory/796-99-0x000007FEFEA70000-0x000007FEFEAE1000-memory.dmp

Filesize
452KB

Download
memory/796-101-0x000007FEFD780000-0x000007FEFD85B000-memory.dmp

Filesize
876KB

Download
memory/796-100-0x000007FEF6780000-0x000007FEF6877000-memory.dmp

Filesize
988KB

Download
memory/796-102-0x000007FEF4420000-0x000007FEF4E0C000-memory.dmp

Filesize
9.9MB

Download
memory/796-104-0x00000000013D0000-0x000000000158A000-memory.dmp

Filesize
1.7MB

Download
memory/1008-115-0x0000000000000000-mapping.dmp

Download
memory/1376-58-0x0000000077060000-0x000000007715A000-memory.dmp

Filesize
1000KB

Download
memory/1376-64-0x000007FEFD780000-0x000007FEFD85B000-memory.dmp

Filesize
876KB

Download
memory/1376-60-0x0000000076F40000-0x000000007705F000-memory.dmp

Filesize
1.1MB

Download
memory/1376-68-0x000007FEFD340000-0x000007FEFD46D000-memory.dmp

Filesize
1.2MB

Download
memory/1376-69-0x000007FEFEEA0000-0x000007FEFF0A3000-memory.dmp

Filesize
2.0MB

Download
memory/1376-56-0x000007FEF6850000-0x000007FEF68EC000-memory.dmp

Filesize
624KB

Download
memory/1376-57-0x000007FEFF3D0000-0x000007FEFF437000-memory.dmp

Filesize
412KB

Download
memory/1376-61-0x000007FEFD140000-0x000007FEFD1AC000-memory.dmp

Filesize
432KB

Download
memory/1376-59-0x000007FEFF0D0000-0x000007FEFF16F000-memory.dmp

Filesize
636KB

Download
memory/1376-78-0x000007FEFF250000-0x000007FEFF26F000-memory.dmp

Filesize
124KB

Download
memory/1376-65-0x000007FEF4E10000-0x000007FEF57FC000-memory.dmp

Filesize
9.9MB

Download
memory/1376-63-0x000007FEF6750000-0x000007FEF6847000-memory.dmp

Filesize
988KB

Download
memory/1376-62-0x000007FEFEA70000-0x000007FEFEAE1000-memory.dmp

Filesize
452KB

Download
memory/1376-70-0x000007FEFB6A0000-0x000007FEFB6F6000-memory.dmp

Filesize
344KB

Download
memory/1376-71-0x0000000000050000-0x000000000020A000-memory.dmp

Filesize
1.7MB

Download
memory/1376-72-0x000007FEF64E0000-0x000007FEF660C000-memory.dmp

Filesize
1.2MB

Download
memory/1376-66-0x0000000000050000-0x000000000020A000-memory.dmp

Filesize
1.7MB

Download
memory/1376-55-0x000007FEF6D30000-0x000007FEF6D9F000-memory.dmp

Filesize
444KB

Download
memory/1376-67-0x00000000008F0000-0x0000000000932000-memory.dmp

Filesize
264KB

Download
memory/1376-81-0x00000000008F0000-0x0000000000932000-memory.dmp

Filesize
264KB

Download
memory/1376-80-0x0000000000050000-0x000000000020A000-memory.dmp

Filesize
1.7MB

Download
memory/1396-138-0x0000000000000000-mapping.dmp

Download
memory/1476-77-0x000007FEEC920000-0x000007FEED343000-memory.dmp

Filesize
10.1MB

Download
memory/1476-83-0x0000000002A24000-0x0000000002A27000-memory.dmp

Filesize
12KB

Download
memory/1476-86-0x0000000002A2B000-0x0000000002A4A000-memory.dmp

Filesize
124KB

Download
memory/1476-74-0x000007FEFB9E1000-0x000007FEFB9E3000-memory.dmp

Filesize
8KB

Download
memory/1476-73-0x0000000000000000-mapping.dmp

Download
memory/1476-85-0x0000000002A24000-0x0000000002A27000-memory.dmp

Filesize
12KB

Download
memory/1476-84-0x0000000002A2B000-0x0000000002A4A000-memory.dmp

Filesize
124KB

Download
memory/1476-82-0x000007FEF4CA0000-0x000007FEF57FD000-memory.dmp

Filesize
11.4MB

Download
memory/1512-118-0x0000000000000000-mapping.dmp

Download
memory/1520-79-0x0000000000000000-mapping.dmp

Download
memory/1992-120-0x0000000001F74000-0x0000000001F77000-memory.dmp

Filesize
12KB

Download
memory/1992-119-0x000007FEEC240000-0x000007FEECD9D000-memory.dmp

Filesize
11.4MB

Download
memory/1992-111-0x0000000000000000-mapping.dmp

Download
memory/1992-121-0x000000001B7B0000-0x000000001BAAF000-memory.dmp

Filesize
3.0MB

Download
memory/1992-123-0x0000000001F74000-0x0000000001F77000-memory.dmp

Filesize
12KB

Download
memory/1992-124-0x0000000001F7B000-0x0000000001F9A000-memory.dmp

Filesize
124KB

Download