075eb2293e555722f119bc94d6a8883674a48150ee9df9c10ed863882c77544b

Analysis

max time kernel
37s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

075eb2293e555722f119bc94d6a8883674a48150ee9df9c10ed863882c77544b.exe
Size

234KB
MD5

9ee6d29b1b568feaa87123ed03f36db3
SHA1

678fc28a78ca1727dbb5974efd4c784ae1c3c6ab
SHA256

075eb2293e555722f119bc94d6a8883674a48150ee9df9c10ed863882c77544b
SHA512

2cb6a4963692946323bdfe6ba67852f444d3fdf27a98e7ddb2d642c3749acef8ae26bc77f2e6591f381e651ada9f3b27a06eee498507ad84bb9fa594a68fdeb5
SSDEEP

6144:VnBThdqtE1FE8ndWLQGnxrn1FwIClJkgFc32v:nbDNQZJcTbk/S

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

retydtfdt26.exe26.exe

pid process

1756 retydtfdt26.exe
1608 26.exe

pid	process
1756	retydtfdt26.exe
1608	26.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/604-55-0x0000000000400000-0x0000000000426000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\RarSFX0\retydtfdt26.exe	upx
C:\Users\Admin\AppData\Local\Temp\RarSFX0\retydtfdt26.exe	upx
\Users\Admin\AppData\Local\Temp\RarSFX0\retydtfdt26.exe	upx
C:\Users\Admin\AppData\Local\Temp\RarSFX0\retydtfdt26.exe	upx
\Users\Admin\AppData\Local\Temp\RarSFX0\retydtfdt26.exe	upx
\Users\Admin\AppData\Local\Temp\RarSFX0\retydtfdt26.exe	upx
behavioral1/memory/1756-75-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral1/memory/604-83-0x0000000000400000-0x0000000000426000-memory.dmp	upx

Loads dropped DLL 13 IoCs

Processes:

075eb2293e555722f119bc94d6a8883674a48150ee9df9c10ed863882c77544b.exeretydtfdt26.exe26.exeWerFault.exe

pid	process
604	075eb2293e555722f119bc94d6a8883674a48150ee9df9c10ed863882c77544b.exe
1756	retydtfdt26.exe
1756	retydtfdt26.exe
1756	retydtfdt26.exe
1756	retydtfdt26.exe
1756	retydtfdt26.exe
1608	26.exe
1608	26.exe
1608	26.exe
1104	WerFault.exe
1104	WerFault.exe
1104	WerFault.exe
1104	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1104 1608 WerFault.exe 26.exe

pid	pid_target	process	target process
1104	1608	WerFault.exe	26.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

075eb2293e555722f119bc94d6a8883674a48150ee9df9c10ed863882c77544b.exeretydtfdt26.exe26.exe

description	pid	process	target process
PID 604 wrote to memory of 1756	604	075eb2293e555722f119bc94d6a8883674a48150ee9df9c10ed863882c77544b.exe	retydtfdt26.exe
PID 604 wrote to memory of 1756	604	075eb2293e555722f119bc94d6a8883674a48150ee9df9c10ed863882c77544b.exe	retydtfdt26.exe
PID 604 wrote to memory of 1756	604	075eb2293e555722f119bc94d6a8883674a48150ee9df9c10ed863882c77544b.exe	retydtfdt26.exe
PID 604 wrote to memory of 1756	604	075eb2293e555722f119bc94d6a8883674a48150ee9df9c10ed863882c77544b.exe	retydtfdt26.exe
PID 604 wrote to memory of 1756	604	075eb2293e555722f119bc94d6a8883674a48150ee9df9c10ed863882c77544b.exe	retydtfdt26.exe
PID 604 wrote to memory of 1756	604	075eb2293e555722f119bc94d6a8883674a48150ee9df9c10ed863882c77544b.exe	retydtfdt26.exe
PID 604 wrote to memory of 1756	604	075eb2293e555722f119bc94d6a8883674a48150ee9df9c10ed863882c77544b.exe	retydtfdt26.exe
PID 1756 wrote to memory of 1608	1756	retydtfdt26.exe	26.exe
PID 1756 wrote to memory of 1608	1756	retydtfdt26.exe	26.exe
PID 1756 wrote to memory of 1608	1756	retydtfdt26.exe	26.exe
PID 1756 wrote to memory of 1608	1756	retydtfdt26.exe	26.exe
PID 1756 wrote to memory of 1608	1756	retydtfdt26.exe	26.exe
PID 1756 wrote to memory of 1608	1756	retydtfdt26.exe	26.exe
PID 1756 wrote to memory of 1608	1756	retydtfdt26.exe	26.exe
PID 1608 wrote to memory of 1104	1608	26.exe	WerFault.exe
PID 1608 wrote to memory of 1104	1608	26.exe	WerFault.exe
PID 1608 wrote to memory of 1104	1608	26.exe	WerFault.exe
PID 1608 wrote to memory of 1104	1608	26.exe	WerFault.exe
PID 1608 wrote to memory of 1104	1608	26.exe	WerFault.exe
PID 1608 wrote to memory of 1104	1608	26.exe	WerFault.exe
PID 1608 wrote to memory of 1104	1608	26.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\075eb2293e555722f119bc94d6a8883674a48150ee9df9c10ed863882c77544b.exe
"C:\Users\Admin\AppData\Local\Temp\075eb2293e555722f119bc94d6a8883674a48150ee9df9c10ed863882c77544b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:604

C:\Users\Admin\AppData\Local\Temp\RarSFX0\retydtfdt26.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\retydtfdt26.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1756

C:\Users\Admin\AppData\Local\Temp\RarSFX0\26.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\26.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 256
4⤵
- Loads dropped DLL
- Program crash
PID:1104

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\26.exe

Filesize
115KB

MD5
2867fa0ccf392cf85ace1b318090f743

SHA1
98254a515c1e942eb3c7099d8a68c9bcf2eb8ab8

SHA256
dfd6952ea037c6f994f4615468bb06b06628b533b4b22ee80d11b9929372d4b8

SHA512
eb646809163994f52ab42ace1e9dd1fd1eb41ea5fad4ec8fe3f96b26836a9eab94f7331317f5e70995e9436433dd68726cab22f1865b91177628003f0b1072c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\26.exe

Filesize
115KB

MD5
2867fa0ccf392cf85ace1b318090f743

SHA1
98254a515c1e942eb3c7099d8a68c9bcf2eb8ab8

SHA256
dfd6952ea037c6f994f4615468bb06b06628b533b4b22ee80d11b9929372d4b8

SHA512
eb646809163994f52ab42ace1e9dd1fd1eb41ea5fad4ec8fe3f96b26836a9eab94f7331317f5e70995e9436433dd68726cab22f1865b91177628003f0b1072c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\retydtfdt26.exe

Filesize
71KB

MD5
86abf19f9f136c4f80c6b76b45eb2d8c

SHA1
ff8562326e4240a0c5e87c6f5759bb45134c0b2c

SHA256
0b5e2a2354e60cea8f47029faf5b32fd171efe102fbf9d82bedff6427b39c55a

SHA512
e913f031af3d51777169cd26c3d6403a2c6957f12b44a16accf653f0f2d2fe3eb0b629816bc22c3a27b33f7ab9cd7eda3dddf13d39a96b8dfbf911f71e85ae91

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\retydtfdt26.exe

Filesize
71KB

MD5
86abf19f9f136c4f80c6b76b45eb2d8c

SHA1
ff8562326e4240a0c5e87c6f5759bb45134c0b2c

SHA256
0b5e2a2354e60cea8f47029faf5b32fd171efe102fbf9d82bedff6427b39c55a

SHA512
e913f031af3d51777169cd26c3d6403a2c6957f12b44a16accf653f0f2d2fe3eb0b629816bc22c3a27b33f7ab9cd7eda3dddf13d39a96b8dfbf911f71e85ae91

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\26.exe

Filesize
115KB

MD5
2867fa0ccf392cf85ace1b318090f743

SHA1
98254a515c1e942eb3c7099d8a68c9bcf2eb8ab8

SHA256
dfd6952ea037c6f994f4615468bb06b06628b533b4b22ee80d11b9929372d4b8

SHA512
eb646809163994f52ab42ace1e9dd1fd1eb41ea5fad4ec8fe3f96b26836a9eab94f7331317f5e70995e9436433dd68726cab22f1865b91177628003f0b1072c5

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\26.exe

Filesize
115KB

MD5
2867fa0ccf392cf85ace1b318090f743

SHA1
98254a515c1e942eb3c7099d8a68c9bcf2eb8ab8

SHA256
dfd6952ea037c6f994f4615468bb06b06628b533b4b22ee80d11b9929372d4b8

SHA512
eb646809163994f52ab42ace1e9dd1fd1eb41ea5fad4ec8fe3f96b26836a9eab94f7331317f5e70995e9436433dd68726cab22f1865b91177628003f0b1072c5

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\26.exe

Filesize
115KB

MD5
2867fa0ccf392cf85ace1b318090f743

SHA1
98254a515c1e942eb3c7099d8a68c9bcf2eb8ab8

SHA256
dfd6952ea037c6f994f4615468bb06b06628b533b4b22ee80d11b9929372d4b8

SHA512
eb646809163994f52ab42ace1e9dd1fd1eb41ea5fad4ec8fe3f96b26836a9eab94f7331317f5e70995e9436433dd68726cab22f1865b91177628003f0b1072c5

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\26.exe

Filesize
115KB

MD5
2867fa0ccf392cf85ace1b318090f743

SHA1
98254a515c1e942eb3c7099d8a68c9bcf2eb8ab8

SHA256
dfd6952ea037c6f994f4615468bb06b06628b533b4b22ee80d11b9929372d4b8

SHA512
eb646809163994f52ab42ace1e9dd1fd1eb41ea5fad4ec8fe3f96b26836a9eab94f7331317f5e70995e9436433dd68726cab22f1865b91177628003f0b1072c5

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\26.exe

Filesize
115KB

MD5
2867fa0ccf392cf85ace1b318090f743

SHA1
98254a515c1e942eb3c7099d8a68c9bcf2eb8ab8

SHA256
dfd6952ea037c6f994f4615468bb06b06628b533b4b22ee80d11b9929372d4b8

SHA512
eb646809163994f52ab42ace1e9dd1fd1eb41ea5fad4ec8fe3f96b26836a9eab94f7331317f5e70995e9436433dd68726cab22f1865b91177628003f0b1072c5

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\26.exe

Filesize
115KB

MD5
2867fa0ccf392cf85ace1b318090f743

SHA1
98254a515c1e942eb3c7099d8a68c9bcf2eb8ab8

SHA256
dfd6952ea037c6f994f4615468bb06b06628b533b4b22ee80d11b9929372d4b8

SHA512
eb646809163994f52ab42ace1e9dd1fd1eb41ea5fad4ec8fe3f96b26836a9eab94f7331317f5e70995e9436433dd68726cab22f1865b91177628003f0b1072c5

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\26.exe

Filesize
115KB

MD5
2867fa0ccf392cf85ace1b318090f743

SHA1
98254a515c1e942eb3c7099d8a68c9bcf2eb8ab8

SHA256
dfd6952ea037c6f994f4615468bb06b06628b533b4b22ee80d11b9929372d4b8

SHA512
eb646809163994f52ab42ace1e9dd1fd1eb41ea5fad4ec8fe3f96b26836a9eab94f7331317f5e70995e9436433dd68726cab22f1865b91177628003f0b1072c5

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\26.exe

Filesize
115KB

MD5
2867fa0ccf392cf85ace1b318090f743

SHA1
98254a515c1e942eb3c7099d8a68c9bcf2eb8ab8

SHA256
dfd6952ea037c6f994f4615468bb06b06628b533b4b22ee80d11b9929372d4b8

SHA512
eb646809163994f52ab42ace1e9dd1fd1eb41ea5fad4ec8fe3f96b26836a9eab94f7331317f5e70995e9436433dd68726cab22f1865b91177628003f0b1072c5

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\26.exe

Filesize
115KB

MD5
2867fa0ccf392cf85ace1b318090f743

SHA1
98254a515c1e942eb3c7099d8a68c9bcf2eb8ab8

SHA256
dfd6952ea037c6f994f4615468bb06b06628b533b4b22ee80d11b9929372d4b8

SHA512
eb646809163994f52ab42ace1e9dd1fd1eb41ea5fad4ec8fe3f96b26836a9eab94f7331317f5e70995e9436433dd68726cab22f1865b91177628003f0b1072c5

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\retydtfdt26.exe

Filesize
71KB

MD5
86abf19f9f136c4f80c6b76b45eb2d8c

SHA1
ff8562326e4240a0c5e87c6f5759bb45134c0b2c

SHA256
0b5e2a2354e60cea8f47029faf5b32fd171efe102fbf9d82bedff6427b39c55a

SHA512
e913f031af3d51777169cd26c3d6403a2c6957f12b44a16accf653f0f2d2fe3eb0b629816bc22c3a27b33f7ab9cd7eda3dddf13d39a96b8dfbf911f71e85ae91

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\retydtfdt26.exe

Filesize
71KB

MD5
86abf19f9f136c4f80c6b76b45eb2d8c

SHA1
ff8562326e4240a0c5e87c6f5759bb45134c0b2c

SHA256
0b5e2a2354e60cea8f47029faf5b32fd171efe102fbf9d82bedff6427b39c55a

SHA512
e913f031af3d51777169cd26c3d6403a2c6957f12b44a16accf653f0f2d2fe3eb0b629816bc22c3a27b33f7ab9cd7eda3dddf13d39a96b8dfbf911f71e85ae91

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\retydtfdt26.exe

Filesize
71KB

MD5
86abf19f9f136c4f80c6b76b45eb2d8c

SHA1
ff8562326e4240a0c5e87c6f5759bb45134c0b2c

SHA256
0b5e2a2354e60cea8f47029faf5b32fd171efe102fbf9d82bedff6427b39c55a

SHA512
e913f031af3d51777169cd26c3d6403a2c6957f12b44a16accf653f0f2d2fe3eb0b629816bc22c3a27b33f7ab9cd7eda3dddf13d39a96b8dfbf911f71e85ae91

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\retydtfdt26.exe

Filesize
71KB

MD5
86abf19f9f136c4f80c6b76b45eb2d8c

SHA1
ff8562326e4240a0c5e87c6f5759bb45134c0b2c

SHA256
0b5e2a2354e60cea8f47029faf5b32fd171efe102fbf9d82bedff6427b39c55a

SHA512
e913f031af3d51777169cd26c3d6403a2c6957f12b44a16accf653f0f2d2fe3eb0b629816bc22c3a27b33f7ab9cd7eda3dddf13d39a96b8dfbf911f71e85ae91

Download Submit
memory/604-56-0x0000000000240000-0x0000000000266000-memory.dmp

Filesize
152KB

Download
memory/604-74-0x0000000002F80000-0x0000000002FA6000-memory.dmp

Filesize
152KB

Download
memory/604-55-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/604-54-0x0000000075F81000-0x0000000075F83000-memory.dmp

Filesize
8KB

Download
memory/604-83-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1104-78-0x0000000000000000-mapping.dmp

Download
memory/1608-77-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1608-68-0x0000000000000000-mapping.dmp

Download
memory/1756-75-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1756-76-0x00000000030C0000-0x000000000310F000-memory.dmp

Filesize
316KB

Download
memory/1756-58-0x0000000000000000-mapping.dmp

Download