c96efc21ae3490a80fa2dab0758e2f23de274762a4e917f1292955fb90814327

Analysis

max time kernel
41s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c96efc21ae3490a80fa2dab0758e2f23de274762a4e917f1292955fb90814327.exe
Size

981KB
MD5

ca860f0f21d779e79d5e3bfe49bdcce7
SHA1

b36e40aa2961d3859d1009b8882acea7f6b7cadc
SHA256

c96efc21ae3490a80fa2dab0758e2f23de274762a4e917f1292955fb90814327
SHA512

6527ed10949589a767ea1bf08dbbe1a0dd18d679e27d1d40b64a14c0adff7afbcd56af61ba4c750384bf257d6941fd34c7e99a41561203a9c2ab4bed61ad2764
SSDEEP

24576:N4YbsXE3xgTezBMOQtBosaPJZEz+YEsXT:m0sUBgTmxQtTaPJZEarsD

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 4 IoCs

Processes:

c96efc21ae3490a80fa2dab0758e2f23de274762a4e917f1292955fb90814327.exe

pid	process
800	c96efc21ae3490a80fa2dab0758e2f23de274762a4e917f1292955fb90814327.exe
800	c96efc21ae3490a80fa2dab0758e2f23de274762a4e917f1292955fb90814327.exe
800	c96efc21ae3490a80fa2dab0758e2f23de274762a4e917f1292955fb90814327.exe
800	c96efc21ae3490a80fa2dab0758e2f23de274762a4e917f1292955fb90814327.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1948 800 WerFault.exe c96efc21ae3490a80fa2dab0758e2f23de274762a4e917f1292955fb90814327.exe

pid	pid_target	process	target process
1948	800	WerFault.exe	c96efc21ae3490a80fa2dab0758e2f23de274762a4e917f1292955fb90814327.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

c96efc21ae3490a80fa2dab0758e2f23de274762a4e917f1292955fb90814327.exe

description	pid	process	target process
PID 800 wrote to memory of 1948	800	c96efc21ae3490a80fa2dab0758e2f23de274762a4e917f1292955fb90814327.exe	WerFault.exe
PID 800 wrote to memory of 1948	800	c96efc21ae3490a80fa2dab0758e2f23de274762a4e917f1292955fb90814327.exe	WerFault.exe
PID 800 wrote to memory of 1948	800	c96efc21ae3490a80fa2dab0758e2f23de274762a4e917f1292955fb90814327.exe	WerFault.exe
PID 800 wrote to memory of 1948	800	c96efc21ae3490a80fa2dab0758e2f23de274762a4e917f1292955fb90814327.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\c96efc21ae3490a80fa2dab0758e2f23de274762a4e917f1292955fb90814327.exe
"C:\Users\Admin\AppData\Local\Temp\c96efc21ae3490a80fa2dab0758e2f23de274762a4e917f1292955fb90814327.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 800 -s 600
2⤵
- Program crash
PID:1948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsdEEB4.tmp\SimpleSC.dll

Filesize
61KB

MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nsdEEB4.tmp\SimpleSC.dll

Filesize
61KB

MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nsdEEB4.tmp\registry.dll

Filesize
24KB

MD5
2b7007ed0262ca02ef69d8990815cbeb

SHA1
2eabe4f755213666dbbbde024a5235ddde02b47f

SHA256
0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d

SHA512
aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca

Download Submit
\Users\Admin\AppData\Local\Temp\nsdEEB4.tmp\utils.dll

Filesize
168KB

MD5
4e3325743a94ce258f50bfd65604743a

SHA1
3b808a2da2b9d8c78cd38ec6ae2c478243a7a939

SHA256
4148043a10a35abe89585c070dcc7f5dd6b0d5fe8b3e20295e0fdce391672fec

SHA512
47f1e485843a0c11adcd87984f7e8b495c2fc2a9b6795fae13620f30a82eb2453d9c7c0b90d26373b33741dccdc9fa496117931091d03f0f747ce409b24041d5

Download Submit
memory/800-54-0x0000000075521000-0x0000000075523000-memory.dmp

Filesize
8KB

Download
memory/1948-61-0x0000000000000000-mapping.dmp

Download