f5e5a2215efbedafe5359e969e7abfe13fd9441f46870a3ec01efbc37494edfa

Analysis

max time kernel
46s
max time network
49s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 06:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5e5a2215efbedafe5359e969e7abfe13fd9441f46870a3ec01efbc37494edfa.exe
Size

973KB
MD5

cb0b9766a27a5f2b7d43a7bb6b66904e
SHA1

6508d99df644c65f4da0b361a840ccd6464fb709
SHA256

f5e5a2215efbedafe5359e969e7abfe13fd9441f46870a3ec01efbc37494edfa
SHA512

548bbbdd31349ba82b72cdce1aa54985087abd73f1642289fe81a34c9d8b1e64dfb6686fa39572d399810f6031b3f300937841510cd6fa5cf099b5f4911db0cc
SSDEEP

24576:72O/GlWswtHDyg7KCZXXVbhhUED4RVPVI8Q/ELb4I/nN:jtHegPZnVhhUEDAILWUI/nN

Score

8^/10

evasion persistence trojan

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

acptwjvhik.exe

pid process

1312 acptwjvhik.exe

pid	process
1312	acptwjvhik.exe

Loads dropped DLL 9 IoCs

Processes:

f5e5a2215efbedafe5359e969e7abfe13fd9441f46870a3ec01efbc37494edfa.exeWerFault.exe

pid	process
1980	f5e5a2215efbedafe5359e969e7abfe13fd9441f46870a3ec01efbc37494edfa.exe
1980	f5e5a2215efbedafe5359e969e7abfe13fd9441f46870a3ec01efbc37494edfa.exe
1980	f5e5a2215efbedafe5359e969e7abfe13fd9441f46870a3ec01efbc37494edfa.exe
1980	f5e5a2215efbedafe5359e969e7abfe13fd9441f46870a3ec01efbc37494edfa.exe
1360	WerFault.exe
1360	WerFault.exe
1360	WerFault.exe
1360	WerFault.exe
1360	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

acptwjvhik.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\C:\Users\Admin\2K1A7W~1 = "C:\\Users\\Admin\\2K1A7W~1\\mhksgnybjacogw.vbs"	acptwjvhik.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	acptwjvhik.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

acptwjvhik.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA acptwjvhik.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1360 1312 WerFault.exe acptwjvhik.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

acptwjvhik.exe

pid process

1312 acptwjvhik.exe
1312 acptwjvhik.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	acptwjvhik.exe

pid	pid_target	process	target process
1360	1312	WerFault.exe	acptwjvhik.exe

pid	process
1312	acptwjvhik.exe
1312	acptwjvhik.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

f5e5a2215efbedafe5359e969e7abfe13fd9441f46870a3ec01efbc37494edfa.exeacptwjvhik.exe

description	pid	process	target process
PID 1980 wrote to memory of 1312	1980	f5e5a2215efbedafe5359e969e7abfe13fd9441f46870a3ec01efbc37494edfa.exe	acptwjvhik.exe
PID 1980 wrote to memory of 1312	1980	f5e5a2215efbedafe5359e969e7abfe13fd9441f46870a3ec01efbc37494edfa.exe	acptwjvhik.exe
PID 1980 wrote to memory of 1312	1980	f5e5a2215efbedafe5359e969e7abfe13fd9441f46870a3ec01efbc37494edfa.exe	acptwjvhik.exe
PID 1980 wrote to memory of 1312	1980	f5e5a2215efbedafe5359e969e7abfe13fd9441f46870a3ec01efbc37494edfa.exe	acptwjvhik.exe
PID 1980 wrote to memory of 1312	1980	f5e5a2215efbedafe5359e969e7abfe13fd9441f46870a3ec01efbc37494edfa.exe	acptwjvhik.exe
PID 1980 wrote to memory of 1312	1980	f5e5a2215efbedafe5359e969e7abfe13fd9441f46870a3ec01efbc37494edfa.exe	acptwjvhik.exe
PID 1980 wrote to memory of 1312	1980	f5e5a2215efbedafe5359e969e7abfe13fd9441f46870a3ec01efbc37494edfa.exe	acptwjvhik.exe
PID 1312 wrote to memory of 1360	1312	acptwjvhik.exe	WerFault.exe
PID 1312 wrote to memory of 1360	1312	acptwjvhik.exe	WerFault.exe
PID 1312 wrote to memory of 1360	1312	acptwjvhik.exe	WerFault.exe
PID 1312 wrote to memory of 1360	1312	acptwjvhik.exe	WerFault.exe
PID 1312 wrote to memory of 1360	1312	acptwjvhik.exe	WerFault.exe
PID 1312 wrote to memory of 1360	1312	acptwjvhik.exe	WerFault.exe
PID 1312 wrote to memory of 1360	1312	acptwjvhik.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\f5e5a2215efbedafe5359e969e7abfe13fd9441f46870a3ec01efbc37494edfa.exe
"C:\Users\Admin\AppData\Local\Temp\f5e5a2215efbedafe5359e969e7abfe13fd9441f46870a3ec01efbc37494edfa.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Users\Admin\2k1a7wjyby5\acptwjvhik.exe
  "C:\Users\Admin\2k1a7wjyby5\acptwjvhik.exe" kzwfr.QVS
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1312
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 304
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1360

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\2K1A7W~1\gfaxrnw.QPD

Filesize
403KB

MD5
11ee5d45a6ec3d33c2a915f391897ca9

SHA1
90d7014e85894d9d2a6d968a66d919f7fde123bc

SHA256
c5e2a739a97062173c49a0b851a655453a710fc9910aab4164986b1b23b94327

SHA512
3eb9177dab1d36b55bdb846b7fe53b490bb6b421c800374f53dc1e090e9a254451aa0bcc7a92226798cf81ba242f2eff868455578d04517828697f70706121e0

Download Submit
C:\Users\Admin\2K1A7W~1\ppwdbc.DZT

Filesize
172B

MD5
e28675c1efabad9141861b162fab4a9a

SHA1
57bad78732d71903b89b51c8790d87b1b1301964

SHA256
7ac5ed2f78f77efe9f438c85e75b7e9567420a4873cd1d090c273c2578f39408

SHA512
982f94896fdf37f94c76f3b6aa32a3e69d6335a7200278da9aeff3b81b7fc10f8f2999a9cf504cad741016a80f95e319e80b8c873264943dd7d633a4c3e9898b

Download Submit
C:\Users\Admin\2k1a7wjyby5\acptwjvhik.exe

Filesize
912KB

MD5
6a93a4071cc7c22628af40a4d872f49b

SHA1
ba916e686aa0cae19ab907bdab94924ada92b5f4

SHA256
8465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01

SHA512
5a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd

Download Submit
C:\Users\Admin\2k1a7wjyby5\kzwfr.QVS

Filesize
31.5MB

MD5
40a40cd740813e5f84d053c8f40ac524

SHA1
2c5028ef2a78360cfbdb90bdb39cbf29a0a446d6

SHA256
e7db2d26d7bc04b5fddc033f952e8603e94e5092043697bc12a74c159c255771

SHA512
9816bcf6dcba9a7ca3f56bdcb53eda5b41a44632067a041926fc0b05407cff1322d24b81ccf407e580370fa5fcc217d952ae7bf43dc0bce42f1748283408ac86

Download Submit
\Users\Admin\2k1a7wjyby5\acptwjvhik.exe

Filesize
912KB

MD5
6a93a4071cc7c22628af40a4d872f49b

SHA1
ba916e686aa0cae19ab907bdab94924ada92b5f4

SHA256
8465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01

SHA512
5a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd

Download Submit
\Users\Admin\2k1a7wjyby5\acptwjvhik.exe

Filesize
912KB

MD5
6a93a4071cc7c22628af40a4d872f49b

SHA1
ba916e686aa0cae19ab907bdab94924ada92b5f4

SHA256
8465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01

SHA512
5a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd

Download Submit
\Users\Admin\2k1a7wjyby5\acptwjvhik.exe

Filesize
912KB

MD5
6a93a4071cc7c22628af40a4d872f49b

SHA1
ba916e686aa0cae19ab907bdab94924ada92b5f4

SHA256
8465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01

SHA512
5a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd

Download Submit
\Users\Admin\2k1a7wjyby5\acptwjvhik.exe

Filesize
912KB

MD5
6a93a4071cc7c22628af40a4d872f49b

SHA1
ba916e686aa0cae19ab907bdab94924ada92b5f4

SHA256
8465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01

SHA512
5a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd

Download Submit
\Users\Admin\2k1a7wjyby5\acptwjvhik.exe

Filesize
912KB

MD5
6a93a4071cc7c22628af40a4d872f49b

SHA1
ba916e686aa0cae19ab907bdab94924ada92b5f4

SHA256
8465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01

SHA512
5a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd

Download Submit
\Users\Admin\2k1a7wjyby5\acptwjvhik.exe

Filesize
912KB

MD5
6a93a4071cc7c22628af40a4d872f49b

SHA1
ba916e686aa0cae19ab907bdab94924ada92b5f4

SHA256
8465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01

SHA512
5a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd

Download Submit
\Users\Admin\2k1a7wjyby5\acptwjvhik.exe

Filesize
912KB

MD5
6a93a4071cc7c22628af40a4d872f49b

SHA1
ba916e686aa0cae19ab907bdab94924ada92b5f4

SHA256
8465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01

SHA512
5a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd

Download Submit
\Users\Admin\2k1a7wjyby5\acptwjvhik.exe

Filesize
912KB

MD5
6a93a4071cc7c22628af40a4d872f49b

SHA1
ba916e686aa0cae19ab907bdab94924ada92b5f4

SHA256
8465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01

SHA512
5a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd

Download Submit
\Users\Admin\2k1a7wjyby5\acptwjvhik.exe

Filesize
912KB

MD5
6a93a4071cc7c22628af40a4d872f49b

SHA1
ba916e686aa0cae19ab907bdab94924ada92b5f4

SHA256
8465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01

SHA512
5a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd

Download Submit
memory/1312-59-0x0000000000000000-mapping.dmp

Download
memory/1360-65-0x0000000000000000-mapping.dmp

Download
memory/1980-54-0x0000000075831000-0x0000000075833000-memory.dmp

Filesize
8KB

Download