33b513b680d1502243d3d1f4dcbf271d189faa4426a1fafe1dea3d879a09fb22

Analysis

max time kernel
43s
max time network
48s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 09:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33b513b680d1502243d3d1f4dcbf271d189faa4426a1fafe1dea3d879a09fb22.exe
Size

283KB
MD5

aef53770b34b8bd7a60532676dcd84e9
SHA1

a06b910c9337fa0914fadcb0c6b5e788bc1b6429
SHA256

33b513b680d1502243d3d1f4dcbf271d189faa4426a1fafe1dea3d879a09fb22
SHA512

c87753b45517af378d226d4f960f5730975000897821bfd5ce2289ccd4fe882e76a12c48563a579a2898bfef34515cca0963d68906d79c2fdab9576c53624e5b
SSDEEP

6144:ia4InuJg58BkgqPoDH49n8Bb/c1Mgm5C1HdN/zZVBHL:iat0EAH49n8BGe5K9N/pL

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

2.exe

pid process

1160 2.exe

pid	process
1160	2.exe

Loads dropped DLL 9 IoCs

Processes:

33b513b680d1502243d3d1f4dcbf271d189faa4426a1fafe1dea3d879a09fb22.exeWerFault.exe

pid	process
2028	33b513b680d1502243d3d1f4dcbf271d189faa4426a1fafe1dea3d879a09fb22.exe
2028	33b513b680d1502243d3d1f4dcbf271d189faa4426a1fafe1dea3d879a09fb22.exe
2028	33b513b680d1502243d3d1f4dcbf271d189faa4426a1fafe1dea3d879a09fb22.exe
2028	33b513b680d1502243d3d1f4dcbf271d189faa4426a1fafe1dea3d879a09fb22.exe
1960	WerFault.exe
1960	WerFault.exe
1960	WerFault.exe
1960	WerFault.exe
1960	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1960 1160 WerFault.exe 2.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1636 NOTEPAD.EXE

pid	pid_target	process	target process
1960	1160	WerFault.exe	2.exe

pid	process
1636	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

33b513b680d1502243d3d1f4dcbf271d189faa4426a1fafe1dea3d879a09fb22.exe2.exe

description	pid	process	target process
PID 2028 wrote to memory of 1160	2028	33b513b680d1502243d3d1f4dcbf271d189faa4426a1fafe1dea3d879a09fb22.exe	2.exe
PID 2028 wrote to memory of 1160	2028	33b513b680d1502243d3d1f4dcbf271d189faa4426a1fafe1dea3d879a09fb22.exe	2.exe
PID 2028 wrote to memory of 1160	2028	33b513b680d1502243d3d1f4dcbf271d189faa4426a1fafe1dea3d879a09fb22.exe	2.exe
PID 2028 wrote to memory of 1160	2028	33b513b680d1502243d3d1f4dcbf271d189faa4426a1fafe1dea3d879a09fb22.exe	2.exe
PID 2028 wrote to memory of 1160	2028	33b513b680d1502243d3d1f4dcbf271d189faa4426a1fafe1dea3d879a09fb22.exe	2.exe
PID 2028 wrote to memory of 1160	2028	33b513b680d1502243d3d1f4dcbf271d189faa4426a1fafe1dea3d879a09fb22.exe	2.exe
PID 2028 wrote to memory of 1160	2028	33b513b680d1502243d3d1f4dcbf271d189faa4426a1fafe1dea3d879a09fb22.exe	2.exe
PID 2028 wrote to memory of 1636	2028	33b513b680d1502243d3d1f4dcbf271d189faa4426a1fafe1dea3d879a09fb22.exe	NOTEPAD.EXE
PID 2028 wrote to memory of 1636	2028	33b513b680d1502243d3d1f4dcbf271d189faa4426a1fafe1dea3d879a09fb22.exe	NOTEPAD.EXE
PID 2028 wrote to memory of 1636	2028	33b513b680d1502243d3d1f4dcbf271d189faa4426a1fafe1dea3d879a09fb22.exe	NOTEPAD.EXE
PID 2028 wrote to memory of 1636	2028	33b513b680d1502243d3d1f4dcbf271d189faa4426a1fafe1dea3d879a09fb22.exe	NOTEPAD.EXE
PID 2028 wrote to memory of 1636	2028	33b513b680d1502243d3d1f4dcbf271d189faa4426a1fafe1dea3d879a09fb22.exe	NOTEPAD.EXE
PID 2028 wrote to memory of 1636	2028	33b513b680d1502243d3d1f4dcbf271d189faa4426a1fafe1dea3d879a09fb22.exe	NOTEPAD.EXE
PID 2028 wrote to memory of 1636	2028	33b513b680d1502243d3d1f4dcbf271d189faa4426a1fafe1dea3d879a09fb22.exe	NOTEPAD.EXE
PID 1160 wrote to memory of 1960	1160	2.exe	WerFault.exe
PID 1160 wrote to memory of 1960	1160	2.exe	WerFault.exe
PID 1160 wrote to memory of 1960	1160	2.exe	WerFault.exe
PID 1160 wrote to memory of 1960	1160	2.exe	WerFault.exe
PID 1160 wrote to memory of 1960	1160	2.exe	WerFault.exe
PID 1160 wrote to memory of 1960	1160	2.exe	WerFault.exe
PID 1160 wrote to memory of 1960	1160	2.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\33b513b680d1502243d3d1f4dcbf271d189faa4426a1fafe1dea3d879a09fb22.exe
"C:\Users\Admin\AppData\Local\Temp\33b513b680d1502243d3d1f4dcbf271d189faa4426a1fafe1dea3d879a09fb22.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028

C:\Users\Admin\AppData\Local\Temp\2.exe
"C:\Users\Admin\AppData\Local\Temp\2.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 684
3⤵
- Loads dropped DLL
- Program crash
PID:1960

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\1.txt
2⤵
- Opens file in notepad (likely ransom note)
PID:1636

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.txt

Filesize
178KB

MD5
54e0bee5995285fff226fe33685d6c4b

SHA1
811308cc3d4b8454dfa440430614351aeb1f4b7a

SHA256
60742ce9f1417053593d123886fb0d6b59ad696ca7c3e7b7c9bc3c305ed32b96

SHA512
de6d8a12984ed43615ddeef6e073858ae289e8e7b546025bcd4e25a01377920c24506e15cb54fdc47118b05a9c3f9f81ce4ab33c3290f64d42d3e35827d92bb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
6KB

MD5
498c24826d02ada78fe8cf90a6cbc332

SHA1
d0d3163f372009d199ad9c2030489e7f3feb0706

SHA256
a1c6709fd507ab781c74c4b01fc48a5481d8b0dc492b4635d8d4c9309d642a4b

SHA512
fbc57ac4f38ca814fe28d2abab812232de8256047ff3f603010840e238cf5c01ec54804f52fb59a847c03cfa09069aa23065f8da4b29f5a5bb889d90037b69c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
6KB

MD5
498c24826d02ada78fe8cf90a6cbc332

SHA1
d0d3163f372009d199ad9c2030489e7f3feb0706

SHA256
a1c6709fd507ab781c74c4b01fc48a5481d8b0dc492b4635d8d4c9309d642a4b

SHA512
fbc57ac4f38ca814fe28d2abab812232de8256047ff3f603010840e238cf5c01ec54804f52fb59a847c03cfa09069aa23065f8da4b29f5a5bb889d90037b69c5

Download Submit
\Users\Admin\AppData\Local\Temp\2.exe

Filesize
6KB

MD5
498c24826d02ada78fe8cf90a6cbc332

SHA1
d0d3163f372009d199ad9c2030489e7f3feb0706

SHA256
a1c6709fd507ab781c74c4b01fc48a5481d8b0dc492b4635d8d4c9309d642a4b

SHA512
fbc57ac4f38ca814fe28d2abab812232de8256047ff3f603010840e238cf5c01ec54804f52fb59a847c03cfa09069aa23065f8da4b29f5a5bb889d90037b69c5

Download Submit
\Users\Admin\AppData\Local\Temp\2.exe

Filesize
6KB

MD5
498c24826d02ada78fe8cf90a6cbc332

SHA1
d0d3163f372009d199ad9c2030489e7f3feb0706

SHA256
a1c6709fd507ab781c74c4b01fc48a5481d8b0dc492b4635d8d4c9309d642a4b

SHA512
fbc57ac4f38ca814fe28d2abab812232de8256047ff3f603010840e238cf5c01ec54804f52fb59a847c03cfa09069aa23065f8da4b29f5a5bb889d90037b69c5

Download Submit
\Users\Admin\AppData\Local\Temp\2.exe

Filesize
6KB

MD5
498c24826d02ada78fe8cf90a6cbc332

SHA1
d0d3163f372009d199ad9c2030489e7f3feb0706

SHA256
a1c6709fd507ab781c74c4b01fc48a5481d8b0dc492b4635d8d4c9309d642a4b

SHA512
fbc57ac4f38ca814fe28d2abab812232de8256047ff3f603010840e238cf5c01ec54804f52fb59a847c03cfa09069aa23065f8da4b29f5a5bb889d90037b69c5

Download Submit
\Users\Admin\AppData\Local\Temp\2.exe

Filesize
6KB

MD5
498c24826d02ada78fe8cf90a6cbc332

SHA1
d0d3163f372009d199ad9c2030489e7f3feb0706

SHA256
a1c6709fd507ab781c74c4b01fc48a5481d8b0dc492b4635d8d4c9309d642a4b

SHA512
fbc57ac4f38ca814fe28d2abab812232de8256047ff3f603010840e238cf5c01ec54804f52fb59a847c03cfa09069aa23065f8da4b29f5a5bb889d90037b69c5

Download Submit
\Users\Admin\AppData\Local\Temp\2.exe

Filesize
6KB

MD5
498c24826d02ada78fe8cf90a6cbc332

SHA1
d0d3163f372009d199ad9c2030489e7f3feb0706

SHA256
a1c6709fd507ab781c74c4b01fc48a5481d8b0dc492b4635d8d4c9309d642a4b

SHA512
fbc57ac4f38ca814fe28d2abab812232de8256047ff3f603010840e238cf5c01ec54804f52fb59a847c03cfa09069aa23065f8da4b29f5a5bb889d90037b69c5

Download Submit
\Users\Admin\AppData\Local\Temp\2.exe

Filesize
6KB

MD5
498c24826d02ada78fe8cf90a6cbc332

SHA1
d0d3163f372009d199ad9c2030489e7f3feb0706

SHA256
a1c6709fd507ab781c74c4b01fc48a5481d8b0dc492b4635d8d4c9309d642a4b

SHA512
fbc57ac4f38ca814fe28d2abab812232de8256047ff3f603010840e238cf5c01ec54804f52fb59a847c03cfa09069aa23065f8da4b29f5a5bb889d90037b69c5

Download Submit
\Users\Admin\AppData\Local\Temp\2.exe

Filesize
6KB

MD5
498c24826d02ada78fe8cf90a6cbc332

SHA1
d0d3163f372009d199ad9c2030489e7f3feb0706

SHA256
a1c6709fd507ab781c74c4b01fc48a5481d8b0dc492b4635d8d4c9309d642a4b

SHA512
fbc57ac4f38ca814fe28d2abab812232de8256047ff3f603010840e238cf5c01ec54804f52fb59a847c03cfa09069aa23065f8da4b29f5a5bb889d90037b69c5

Download Submit
\Users\Admin\AppData\Local\Temp\2.exe

Filesize
6KB

MD5
498c24826d02ada78fe8cf90a6cbc332

SHA1
d0d3163f372009d199ad9c2030489e7f3feb0706

SHA256
a1c6709fd507ab781c74c4b01fc48a5481d8b0dc492b4635d8d4c9309d642a4b

SHA512
fbc57ac4f38ca814fe28d2abab812232de8256047ff3f603010840e238cf5c01ec54804f52fb59a847c03cfa09069aa23065f8da4b29f5a5bb889d90037b69c5

Download Submit
\Users\Admin\AppData\Local\Temp\2.exe

Filesize
6KB

MD5
498c24826d02ada78fe8cf90a6cbc332

SHA1
d0d3163f372009d199ad9c2030489e7f3feb0706

SHA256
a1c6709fd507ab781c74c4b01fc48a5481d8b0dc492b4635d8d4c9309d642a4b

SHA512
fbc57ac4f38ca814fe28d2abab812232de8256047ff3f603010840e238cf5c01ec54804f52fb59a847c03cfa09069aa23065f8da4b29f5a5bb889d90037b69c5

Download Submit
memory/1160-59-0x0000000000000000-mapping.dmp

Download
memory/1160-66-0x0000000001180000-0x0000000001188000-memory.dmp

Filesize
32KB

Download
memory/1636-62-0x0000000000000000-mapping.dmp

Download
memory/1960-67-0x0000000000000000-mapping.dmp

Download
memory/2028-54-0x0000000075A71000-0x0000000075A73000-memory.dmp

Filesize
8KB

Download