af9b9586beab6e4bd73ddc22da4e7619561b3a9d452a1e9ba498784ea32e7eb9

Analysis

max time kernel
70s
max time network
30s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 11:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af9b9586beab6e4bd73ddc22da4e7619561b3a9d452a1e9ba498784ea32e7eb9.exe
Size

100KB
MD5

8ca303c4eb9cfbcd3b93f583511abfdf
SHA1

33fe4b8e965724143302b499934f1b5379b615a5
SHA256

af9b9586beab6e4bd73ddc22da4e7619561b3a9d452a1e9ba498784ea32e7eb9
SHA512

c5cb024a8e52eeb99b554f798b683fb1603ca5fe09470c671a817c544dcbc443ef6d88d588804e11a961ab25c8453a34ddaeb335892252f2ed4abf79b354c30e
SSDEEP

1536:9QxqcQu0yvmgEUs1rARbX/CJ+zsxm90BUNvE6V01Deo/k7:y/0gEUcr6bvvzsKp66oc7

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

5erF4CB.exe5erF4CB.exe

pid process

316 5erF4CB.exe
1068 5erF4CB.exe

pid	process
316	5erF4CB.exe
1068	5erF4CB.exe

Loads dropped DLL 8 IoCs

Processes:

af9b9586beab6e4bd73ddc22da4e7619561b3a9d452a1e9ba498784ea32e7eb9.exe5erF4CB.exeWerFault.exe

pid	process
2044	af9b9586beab6e4bd73ddc22da4e7619561b3a9d452a1e9ba498784ea32e7eb9.exe
2044	af9b9586beab6e4bd73ddc22da4e7619561b3a9d452a1e9ba498784ea32e7eb9.exe
316	5erF4CB.exe
1548	WerFault.exe
1548	WerFault.exe
1548	WerFault.exe
1548	WerFault.exe
1548	WerFault.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

5erF4CB.exe

description pid process target process

PID 316 set thread context of 1068 316 5erF4CB.exe 5erF4CB.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1548 1068 WerFault.exe 5erF4CB.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

1484 DllHost.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

5erF4CB.exe

pid process

316 5erF4CB.exe

description	pid	process	target process
PID 316 set thread context of 1068	316	5erF4CB.exe	5erF4CB.exe

pid	pid_target	process	target process
1548	1068	WerFault.exe	5erF4CB.exe

pid	process
1484	DllHost.exe

pid	process
316	5erF4CB.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

af9b9586beab6e4bd73ddc22da4e7619561b3a9d452a1e9ba498784ea32e7eb9.exe5erF4CB.exe5erF4CB.exe

description	pid	process	target process
PID 2044 wrote to memory of 316	2044	af9b9586beab6e4bd73ddc22da4e7619561b3a9d452a1e9ba498784ea32e7eb9.exe	5erF4CB.exe
PID 2044 wrote to memory of 316	2044	af9b9586beab6e4bd73ddc22da4e7619561b3a9d452a1e9ba498784ea32e7eb9.exe	5erF4CB.exe
PID 2044 wrote to memory of 316	2044	af9b9586beab6e4bd73ddc22da4e7619561b3a9d452a1e9ba498784ea32e7eb9.exe	5erF4CB.exe
PID 2044 wrote to memory of 316	2044	af9b9586beab6e4bd73ddc22da4e7619561b3a9d452a1e9ba498784ea32e7eb9.exe	5erF4CB.exe
PID 316 wrote to memory of 1068	316	5erF4CB.exe	5erF4CB.exe
PID 316 wrote to memory of 1068	316	5erF4CB.exe	5erF4CB.exe
PID 316 wrote to memory of 1068	316	5erF4CB.exe	5erF4CB.exe
PID 316 wrote to memory of 1068	316	5erF4CB.exe	5erF4CB.exe
PID 316 wrote to memory of 1068	316	5erF4CB.exe	5erF4CB.exe
PID 316 wrote to memory of 1068	316	5erF4CB.exe	5erF4CB.exe
PID 316 wrote to memory of 1068	316	5erF4CB.exe	5erF4CB.exe
PID 316 wrote to memory of 1068	316	5erF4CB.exe	5erF4CB.exe
PID 316 wrote to memory of 1068	316	5erF4CB.exe	5erF4CB.exe
PID 316 wrote to memory of 1068	316	5erF4CB.exe	5erF4CB.exe
PID 1068 wrote to memory of 1548	1068	5erF4CB.exe	WerFault.exe
PID 1068 wrote to memory of 1548	1068	5erF4CB.exe	WerFault.exe
PID 1068 wrote to memory of 1548	1068	5erF4CB.exe	WerFault.exe
PID 1068 wrote to memory of 1548	1068	5erF4CB.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\af9b9586beab6e4bd73ddc22da4e7619561b3a9d452a1e9ba498784ea32e7eb9.exe
"C:\Users\Admin\AppData\Local\Temp\af9b9586beab6e4bd73ddc22da4e7619561b3a9d452a1e9ba498784ea32e7eb9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2044

C:\Users\Admin\AppData\Local\Temp\5erF4CB.exe
"C:\Users\Admin\AppData\Local\Temp\5erF4CB.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:316

C:\Users\Admin\AppData\Local\Temp\5erF4CB.exe
"C:\Users\Admin\AppData\Local\Temp\5erF4CB.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 96
4⤵
- Loads dropped DLL
- Program crash
PID:1548

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5erF4CB.exe

Filesize
74KB

MD5
0297a68fc6f338ad45d7eaaa8bdb6886

SHA1
e068b521fe13f8cda438d8eec25daee194b88953

SHA256
26fe9606b7ec84a0e0448ed34f008c65c6be01607ffec4c3d76871a695af7956

SHA512
7980aa95887bad3925a48c40e9735799f6c628cb3ea0615ad5b34900a23cf6d94ca26b5ca10cc5b2239744a69a082276edeb632877c41d862cd06633d2e6107b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5erF4CB.exe

Filesize
74KB

MD5
0297a68fc6f338ad45d7eaaa8bdb6886

SHA1
e068b521fe13f8cda438d8eec25daee194b88953

SHA256
26fe9606b7ec84a0e0448ed34f008c65c6be01607ffec4c3d76871a695af7956

SHA512
7980aa95887bad3925a48c40e9735799f6c628cb3ea0615ad5b34900a23cf6d94ca26b5ca10cc5b2239744a69a082276edeb632877c41d862cd06633d2e6107b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5erF4CB.exe

Filesize
74KB

MD5
0297a68fc6f338ad45d7eaaa8bdb6886

SHA1
e068b521fe13f8cda438d8eec25daee194b88953

SHA256
26fe9606b7ec84a0e0448ed34f008c65c6be01607ffec4c3d76871a695af7956

SHA512
7980aa95887bad3925a48c40e9735799f6c628cb3ea0615ad5b34900a23cf6d94ca26b5ca10cc5b2239744a69a082276edeb632877c41d862cd06633d2e6107b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5erF691.jpg

Filesize
3KB

MD5
b7da412aa42bacd6a9ebb1c63b6ac1f5

SHA1
be17ab23608eafc6b14e025892a8d6b58b3a3834

SHA256
97351ea804ea25c1aa5a49b1f48c14af8ed1f0434455ffeeab9a7ea77e930664

SHA512
9f111496a2e0309821bf2a8148219d360ce7715ba12a5f9d40b107320d70b8766795377c646af8d13f1d7095a4e392f2753224ca589f290ca587016ac8d4fc25

Download Submit
\Users\Admin\AppData\Local\Temp\5erF4CB.exe

Filesize
74KB

MD5
0297a68fc6f338ad45d7eaaa8bdb6886

SHA1
e068b521fe13f8cda438d8eec25daee194b88953

SHA256
26fe9606b7ec84a0e0448ed34f008c65c6be01607ffec4c3d76871a695af7956

SHA512
7980aa95887bad3925a48c40e9735799f6c628cb3ea0615ad5b34900a23cf6d94ca26b5ca10cc5b2239744a69a082276edeb632877c41d862cd06633d2e6107b

Download Submit
\Users\Admin\AppData\Local\Temp\5erF4CB.exe

Filesize
74KB

MD5
0297a68fc6f338ad45d7eaaa8bdb6886

SHA1
e068b521fe13f8cda438d8eec25daee194b88953

SHA256
26fe9606b7ec84a0e0448ed34f008c65c6be01607ffec4c3d76871a695af7956

SHA512
7980aa95887bad3925a48c40e9735799f6c628cb3ea0615ad5b34900a23cf6d94ca26b5ca10cc5b2239744a69a082276edeb632877c41d862cd06633d2e6107b

Download Submit
\Users\Admin\AppData\Local\Temp\5erF4CB.exe

Filesize
74KB

MD5
0297a68fc6f338ad45d7eaaa8bdb6886

SHA1
e068b521fe13f8cda438d8eec25daee194b88953

SHA256
26fe9606b7ec84a0e0448ed34f008c65c6be01607ffec4c3d76871a695af7956

SHA512
7980aa95887bad3925a48c40e9735799f6c628cb3ea0615ad5b34900a23cf6d94ca26b5ca10cc5b2239744a69a082276edeb632877c41d862cd06633d2e6107b

Download Submit
\Users\Admin\AppData\Local\Temp\5erF4CB.exe

Filesize
74KB

MD5
0297a68fc6f338ad45d7eaaa8bdb6886

SHA1
e068b521fe13f8cda438d8eec25daee194b88953

SHA256
26fe9606b7ec84a0e0448ed34f008c65c6be01607ffec4c3d76871a695af7956

SHA512
7980aa95887bad3925a48c40e9735799f6c628cb3ea0615ad5b34900a23cf6d94ca26b5ca10cc5b2239744a69a082276edeb632877c41d862cd06633d2e6107b

Download Submit
\Users\Admin\AppData\Local\Temp\5erF4CB.exe

Filesize
74KB

MD5
0297a68fc6f338ad45d7eaaa8bdb6886

SHA1
e068b521fe13f8cda438d8eec25daee194b88953

SHA256
26fe9606b7ec84a0e0448ed34f008c65c6be01607ffec4c3d76871a695af7956

SHA512
7980aa95887bad3925a48c40e9735799f6c628cb3ea0615ad5b34900a23cf6d94ca26b5ca10cc5b2239744a69a082276edeb632877c41d862cd06633d2e6107b

Download Submit
\Users\Admin\AppData\Local\Temp\5erF4CB.exe

Filesize
74KB

MD5
0297a68fc6f338ad45d7eaaa8bdb6886

SHA1
e068b521fe13f8cda438d8eec25daee194b88953

SHA256
26fe9606b7ec84a0e0448ed34f008c65c6be01607ffec4c3d76871a695af7956

SHA512
7980aa95887bad3925a48c40e9735799f6c628cb3ea0615ad5b34900a23cf6d94ca26b5ca10cc5b2239744a69a082276edeb632877c41d862cd06633d2e6107b

Download Submit
\Users\Admin\AppData\Local\Temp\5erF4CB.exe

Filesize
74KB

MD5
0297a68fc6f338ad45d7eaaa8bdb6886

SHA1
e068b521fe13f8cda438d8eec25daee194b88953

SHA256
26fe9606b7ec84a0e0448ed34f008c65c6be01607ffec4c3d76871a695af7956

SHA512
7980aa95887bad3925a48c40e9735799f6c628cb3ea0615ad5b34900a23cf6d94ca26b5ca10cc5b2239744a69a082276edeb632877c41d862cd06633d2e6107b

Download Submit
\Users\Admin\AppData\Local\Temp\5erF4CB.exe

Filesize
74KB

MD5
0297a68fc6f338ad45d7eaaa8bdb6886

SHA1
e068b521fe13f8cda438d8eec25daee194b88953

SHA256
26fe9606b7ec84a0e0448ed34f008c65c6be01607ffec4c3d76871a695af7956

SHA512
7980aa95887bad3925a48c40e9735799f6c628cb3ea0615ad5b34900a23cf6d94ca26b5ca10cc5b2239744a69a082276edeb632877c41d862cd06633d2e6107b

Download Submit
memory/316-57-0x0000000000000000-mapping.dmp

Download
memory/1068-73-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1068-75-0x00000000004102FC-mapping.dmp

Download
memory/1068-77-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1068-78-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1068-80-0x0000000000410000-0x0000000000412000-memory.dmp

Filesize
8KB

Download
memory/1068-71-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1068-68-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1068-66-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1068-87-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1068-64-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1068-63-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1548-82-0x0000000000000000-mapping.dmp

Download
memory/2044-54-0x0000000076941000-0x0000000076943000-memory.dmp

Filesize
8KB

Download