bd115d081031665e37b566d458472e5ff850d0f794f0d580233efe5ae0aef912

Analysis

max time kernel
44s
max time network
48s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 09:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd115d081031665e37b566d458472e5ff850d0f794f0d580233efe5ae0aef912.exe
Size

879KB
MD5

1ce16812d9fe060307b3efdb75b16929
SHA1

3db6dc2eb56b794e7b943688640605f62dce0314
SHA256

bd115d081031665e37b566d458472e5ff850d0f794f0d580233efe5ae0aef912
SHA512

ed485f766f9027464bc441bc1c38401889aa38cd602409a19c07a54bfc582753d01b607631382e9298603aac0ddb30187b46a74e0c8a0996efba75ed4bae8e18
SSDEEP

12288:qat0EAH49n8BqByODm186QdHSP6HUb/avqOewPXkUXGB86k4GQSncwFuR9c2/N4v:lt24ZFDmKrSPQHTXkUXGi60/cwUR+v

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

2.exe

pid process

1300 2.exe

pid	process
1300	2.exe

Loads dropped DLL 9 IoCs

Processes:

bd115d081031665e37b566d458472e5ff850d0f794f0d580233efe5ae0aef912.exeWerFault.exe

pid	process
1280	bd115d081031665e37b566d458472e5ff850d0f794f0d580233efe5ae0aef912.exe
1280	bd115d081031665e37b566d458472e5ff850d0f794f0d580233efe5ae0aef912.exe
1280	bd115d081031665e37b566d458472e5ff850d0f794f0d580233efe5ae0aef912.exe
1280	bd115d081031665e37b566d458472e5ff850d0f794f0d580233efe5ae0aef912.exe
1780	WerFault.exe
1780	WerFault.exe
1780	WerFault.exe
1780	WerFault.exe
1780	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1780 1300 WerFault.exe 2.exe

pid	pid_target	process	target process
1780	1300	WerFault.exe	2.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

bd115d081031665e37b566d458472e5ff850d0f794f0d580233efe5ae0aef912.exe2.exe

description	pid	process	target process
PID 1280 wrote to memory of 1300	1280	bd115d081031665e37b566d458472e5ff850d0f794f0d580233efe5ae0aef912.exe	2.exe
PID 1280 wrote to memory of 1300	1280	bd115d081031665e37b566d458472e5ff850d0f794f0d580233efe5ae0aef912.exe	2.exe
PID 1280 wrote to memory of 1300	1280	bd115d081031665e37b566d458472e5ff850d0f794f0d580233efe5ae0aef912.exe	2.exe
PID 1280 wrote to memory of 1300	1280	bd115d081031665e37b566d458472e5ff850d0f794f0d580233efe5ae0aef912.exe	2.exe
PID 1280 wrote to memory of 1300	1280	bd115d081031665e37b566d458472e5ff850d0f794f0d580233efe5ae0aef912.exe	2.exe
PID 1280 wrote to memory of 1300	1280	bd115d081031665e37b566d458472e5ff850d0f794f0d580233efe5ae0aef912.exe	2.exe
PID 1280 wrote to memory of 1300	1280	bd115d081031665e37b566d458472e5ff850d0f794f0d580233efe5ae0aef912.exe	2.exe
PID 1300 wrote to memory of 1780	1300	2.exe	WerFault.exe
PID 1300 wrote to memory of 1780	1300	2.exe	WerFault.exe
PID 1300 wrote to memory of 1780	1300	2.exe	WerFault.exe
PID 1300 wrote to memory of 1780	1300	2.exe	WerFault.exe
PID 1300 wrote to memory of 1780	1300	2.exe	WerFault.exe
PID 1300 wrote to memory of 1780	1300	2.exe	WerFault.exe
PID 1300 wrote to memory of 1780	1300	2.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\bd115d081031665e37b566d458472e5ff850d0f794f0d580233efe5ae0aef912.exe
"C:\Users\Admin\AppData\Local\Temp\bd115d081031665e37b566d458472e5ff850d0f794f0d580233efe5ae0aef912.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1280

C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1300 -s 684
3⤵
- Loads dropped DLL
- Program crash
PID:1780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe

Filesize
6KB

MD5
498c24826d02ada78fe8cf90a6cbc332

SHA1
d0d3163f372009d199ad9c2030489e7f3feb0706

SHA256
a1c6709fd507ab781c74c4b01fc48a5481d8b0dc492b4635d8d4c9309d642a4b

SHA512
fbc57ac4f38ca814fe28d2abab812232de8256047ff3f603010840e238cf5c01ec54804f52fb59a847c03cfa09069aa23065f8da4b29f5a5bb889d90037b69c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe

Filesize
6KB

MD5
498c24826d02ada78fe8cf90a6cbc332

SHA1
d0d3163f372009d199ad9c2030489e7f3feb0706

SHA256
a1c6709fd507ab781c74c4b01fc48a5481d8b0dc492b4635d8d4c9309d642a4b

SHA512
fbc57ac4f38ca814fe28d2abab812232de8256047ff3f603010840e238cf5c01ec54804f52fb59a847c03cfa09069aa23065f8da4b29f5a5bb889d90037b69c5

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe

Filesize
6KB

MD5
498c24826d02ada78fe8cf90a6cbc332

SHA1
d0d3163f372009d199ad9c2030489e7f3feb0706

SHA256
a1c6709fd507ab781c74c4b01fc48a5481d8b0dc492b4635d8d4c9309d642a4b

SHA512
fbc57ac4f38ca814fe28d2abab812232de8256047ff3f603010840e238cf5c01ec54804f52fb59a847c03cfa09069aa23065f8da4b29f5a5bb889d90037b69c5

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe

Filesize
6KB

MD5
498c24826d02ada78fe8cf90a6cbc332

SHA1
d0d3163f372009d199ad9c2030489e7f3feb0706

SHA256
a1c6709fd507ab781c74c4b01fc48a5481d8b0dc492b4635d8d4c9309d642a4b

SHA512
fbc57ac4f38ca814fe28d2abab812232de8256047ff3f603010840e238cf5c01ec54804f52fb59a847c03cfa09069aa23065f8da4b29f5a5bb889d90037b69c5

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe

Filesize
6KB

MD5
498c24826d02ada78fe8cf90a6cbc332

SHA1
d0d3163f372009d199ad9c2030489e7f3feb0706

SHA256
a1c6709fd507ab781c74c4b01fc48a5481d8b0dc492b4635d8d4c9309d642a4b

SHA512
fbc57ac4f38ca814fe28d2abab812232de8256047ff3f603010840e238cf5c01ec54804f52fb59a847c03cfa09069aa23065f8da4b29f5a5bb889d90037b69c5

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe

Filesize
6KB

MD5
498c24826d02ada78fe8cf90a6cbc332

SHA1
d0d3163f372009d199ad9c2030489e7f3feb0706

SHA256
a1c6709fd507ab781c74c4b01fc48a5481d8b0dc492b4635d8d4c9309d642a4b

SHA512
fbc57ac4f38ca814fe28d2abab812232de8256047ff3f603010840e238cf5c01ec54804f52fb59a847c03cfa09069aa23065f8da4b29f5a5bb889d90037b69c5

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe

Filesize
6KB

MD5
498c24826d02ada78fe8cf90a6cbc332

SHA1
d0d3163f372009d199ad9c2030489e7f3feb0706

SHA256
a1c6709fd507ab781c74c4b01fc48a5481d8b0dc492b4635d8d4c9309d642a4b

SHA512
fbc57ac4f38ca814fe28d2abab812232de8256047ff3f603010840e238cf5c01ec54804f52fb59a847c03cfa09069aa23065f8da4b29f5a5bb889d90037b69c5

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe

Filesize
6KB

MD5
498c24826d02ada78fe8cf90a6cbc332

SHA1
d0d3163f372009d199ad9c2030489e7f3feb0706

SHA256
a1c6709fd507ab781c74c4b01fc48a5481d8b0dc492b4635d8d4c9309d642a4b

SHA512
fbc57ac4f38ca814fe28d2abab812232de8256047ff3f603010840e238cf5c01ec54804f52fb59a847c03cfa09069aa23065f8da4b29f5a5bb889d90037b69c5

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe

Filesize
6KB

MD5
498c24826d02ada78fe8cf90a6cbc332

SHA1
d0d3163f372009d199ad9c2030489e7f3feb0706

SHA256
a1c6709fd507ab781c74c4b01fc48a5481d8b0dc492b4635d8d4c9309d642a4b

SHA512
fbc57ac4f38ca814fe28d2abab812232de8256047ff3f603010840e238cf5c01ec54804f52fb59a847c03cfa09069aa23065f8da4b29f5a5bb889d90037b69c5

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe

Filesize
6KB

MD5
498c24826d02ada78fe8cf90a6cbc332

SHA1
d0d3163f372009d199ad9c2030489e7f3feb0706

SHA256
a1c6709fd507ab781c74c4b01fc48a5481d8b0dc492b4635d8d4c9309d642a4b

SHA512
fbc57ac4f38ca814fe28d2abab812232de8256047ff3f603010840e238cf5c01ec54804f52fb59a847c03cfa09069aa23065f8da4b29f5a5bb889d90037b69c5

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe

Filesize
6KB

MD5
498c24826d02ada78fe8cf90a6cbc332

SHA1
d0d3163f372009d199ad9c2030489e7f3feb0706

SHA256
a1c6709fd507ab781c74c4b01fc48a5481d8b0dc492b4635d8d4c9309d642a4b

SHA512
fbc57ac4f38ca814fe28d2abab812232de8256047ff3f603010840e238cf5c01ec54804f52fb59a847c03cfa09069aa23065f8da4b29f5a5bb889d90037b69c5

Download Submit
memory/1280-54-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download
memory/1300-59-0x0000000000000000-mapping.dmp

Download
memory/1300-63-0x0000000000BC0000-0x0000000000BC8000-memory.dmp

Filesize
32KB

Download
memory/1780-64-0x0000000000000000-mapping.dmp

Download