8e5b19f0a617d54186f50e650b9eec8dba831b59b99fd4da8c0b16fe3fa52ab8

Analysis

max time kernel
9s
max time network
35s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 14:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

jets80054.exe
Size

304KB
MD5

f57974ed632c9b3aed13be4e2d4dfd7b
SHA1

729614769140d585e61b63cf04da1ff528ca58b5
SHA256

5308026699c3ce88917c846e9b6ae9939fbe08415a88937ec6ab74fd507ed98a
SHA512

0688ca6cec67e33482d38f31ae108ff222740fa486e663ed139f632412394526a6bbc51ae4c712ca818a3c4800c1859ae1ed11c12cc3cea5ef30075f86c1d433
SSDEEP

6144:MEa0NMikS9Le6rGEsNirbtz6xl3Y0ansq0XTHpGMQ:XMikSraESiF+l3jHq0k

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

kmqnvwtso.exekmqnvwtso.exe

pid process

1600 kmqnvwtso.exe
832 kmqnvwtso.exe
Loads dropped DLL 5 IoCs

Processes:

jets80054.exekmqnvwtso.exeWerFault.exe

pid process

1632 jets80054.exe
1600 kmqnvwtso.exe
1776 WerFault.exe
1776 WerFault.exe
1776 WerFault.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

kmqnvwtso.exe

description pid process target process

PID 1600 set thread context of 832 1600 kmqnvwtso.exe kmqnvwtso.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1776 832 WerFault.exe kmqnvwtso.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

kmqnvwtso.exe

pid process

1600 kmqnvwtso.exe
1600 kmqnvwtso.exe

pid	process
1600	kmqnvwtso.exe
832	kmqnvwtso.exe

pid	process
1632	jets80054.exe
1600	kmqnvwtso.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe

description	pid	process	target process
PID 1600 set thread context of 832	1600	kmqnvwtso.exe	kmqnvwtso.exe

pid	pid_target	process	target process
1776	832	WerFault.exe	kmqnvwtso.exe

pid	process
1600	kmqnvwtso.exe
1600	kmqnvwtso.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

jets80054.exekmqnvwtso.exekmqnvwtso.exe

description	pid	process	target process
PID 1632 wrote to memory of 1600	1632	jets80054.exe	kmqnvwtso.exe
PID 1632 wrote to memory of 1600	1632	jets80054.exe	kmqnvwtso.exe
PID 1632 wrote to memory of 1600	1632	jets80054.exe	kmqnvwtso.exe
PID 1632 wrote to memory of 1600	1632	jets80054.exe	kmqnvwtso.exe
PID 1600 wrote to memory of 832	1600	kmqnvwtso.exe	kmqnvwtso.exe
PID 1600 wrote to memory of 832	1600	kmqnvwtso.exe	kmqnvwtso.exe
PID 1600 wrote to memory of 832	1600	kmqnvwtso.exe	kmqnvwtso.exe
PID 1600 wrote to memory of 832	1600	kmqnvwtso.exe	kmqnvwtso.exe
PID 1600 wrote to memory of 832	1600	kmqnvwtso.exe	kmqnvwtso.exe
PID 832 wrote to memory of 1776	832	kmqnvwtso.exe	WerFault.exe
PID 832 wrote to memory of 1776	832	kmqnvwtso.exe	WerFault.exe
PID 832 wrote to memory of 1776	832	kmqnvwtso.exe	WerFault.exe
PID 832 wrote to memory of 1776	832	kmqnvwtso.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\jets80054.exe
"C:\Users\Admin\AppData\Local\Temp\jets80054.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1632

C:\Users\Admin\AppData\Local\Temp\kmqnvwtso.exe
"C:\Users\Admin\AppData\Local\Temp\kmqnvwtso.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1600

C:\Users\Admin\AppData\Local\Temp\kmqnvwtso.exe
"C:\Users\Admin\AppData\Local\Temp\kmqnvwtso.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 832 -s 36
4⤵
- Loads dropped DLL
- Program crash
PID:1776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\kmqnvwtso.exe

Filesize
148KB

MD5
014a2943f1991ffdc86b423a97fc471e

SHA1
a7a0667632788a895b31f8a0a731e0dc2e0dd076

SHA256
de57839ddcc617f1a8ffbfe761c669e1b963b39673b102904e940697aea7a168

SHA512
2adfe9725b09ad1a30f909739808b1b98d9fad680b5590f28f0b47cfc5abeb50046449662c8b37ac799fb6643c4e72b0f41f1f3197388404d08bd89e271f5570

Download Submit
C:\Users\Admin\AppData\Local\Temp\kmqnvwtso.exe

Filesize
148KB

MD5
014a2943f1991ffdc86b423a97fc471e

SHA1
a7a0667632788a895b31f8a0a731e0dc2e0dd076

SHA256
de57839ddcc617f1a8ffbfe761c669e1b963b39673b102904e940697aea7a168

SHA512
2adfe9725b09ad1a30f909739808b1b98d9fad680b5590f28f0b47cfc5abeb50046449662c8b37ac799fb6643c4e72b0f41f1f3197388404d08bd89e271f5570

Download Submit
C:\Users\Admin\AppData\Local\Temp\kmqnvwtso.exe

Filesize
148KB

MD5
014a2943f1991ffdc86b423a97fc471e

SHA1
a7a0667632788a895b31f8a0a731e0dc2e0dd076

SHA256
de57839ddcc617f1a8ffbfe761c669e1b963b39673b102904e940697aea7a168

SHA512
2adfe9725b09ad1a30f909739808b1b98d9fad680b5590f28f0b47cfc5abeb50046449662c8b37ac799fb6643c4e72b0f41f1f3197388404d08bd89e271f5570

Download Submit
C:\Users\Admin\AppData\Local\Temp\qknrnneti.o

Filesize
185KB

MD5
947ca1871fc4b401f41b9c0dbc9af30f

SHA1
6e96ef23737597e516084152b06bedc8e1d71d5f

SHA256
4ab8376ef4acda68064e3542f9544fbeefa45a357b268411b5ec4de691ab0f5b

SHA512
9c21bb470385b308fe808883cb9ec08566ad803ec7e8777162affc53d45c38bfec75e46fcb318228ffcc9c4394bc50f0f0ceb6aa6e80327ef798f7011332f681

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpintmjypwl.fpk

Filesize
5KB

MD5
da70c58f3ee7c8cde24797591b5a5fb7

SHA1
44c1649bae5696694493c56ed4f3f8abfd2f908f

SHA256
7a0186ea7241932180c9e7f2ef6fd08541c66e53ef2b4b750190baf760f409c6

SHA512
7db41e091f768c397ab155d060eb9635116b1081d2c0dbbdcbb1c8849e0d2f2799601ba53628174cfd7dde60869bfb44a9b17cc0e5c4f59d49c33299f14eab30

Download Submit
\Users\Admin\AppData\Local\Temp\kmqnvwtso.exe

Filesize
148KB

MD5
014a2943f1991ffdc86b423a97fc471e

SHA1
a7a0667632788a895b31f8a0a731e0dc2e0dd076

SHA256
de57839ddcc617f1a8ffbfe761c669e1b963b39673b102904e940697aea7a168

SHA512
2adfe9725b09ad1a30f909739808b1b98d9fad680b5590f28f0b47cfc5abeb50046449662c8b37ac799fb6643c4e72b0f41f1f3197388404d08bd89e271f5570

Download Submit
\Users\Admin\AppData\Local\Temp\kmqnvwtso.exe

Filesize
148KB

MD5
014a2943f1991ffdc86b423a97fc471e

SHA1
a7a0667632788a895b31f8a0a731e0dc2e0dd076

SHA256
de57839ddcc617f1a8ffbfe761c669e1b963b39673b102904e940697aea7a168

SHA512
2adfe9725b09ad1a30f909739808b1b98d9fad680b5590f28f0b47cfc5abeb50046449662c8b37ac799fb6643c4e72b0f41f1f3197388404d08bd89e271f5570

Download Submit
\Users\Admin\AppData\Local\Temp\kmqnvwtso.exe

Filesize
148KB

MD5
014a2943f1991ffdc86b423a97fc471e

SHA1
a7a0667632788a895b31f8a0a731e0dc2e0dd076

SHA256
de57839ddcc617f1a8ffbfe761c669e1b963b39673b102904e940697aea7a168

SHA512
2adfe9725b09ad1a30f909739808b1b98d9fad680b5590f28f0b47cfc5abeb50046449662c8b37ac799fb6643c4e72b0f41f1f3197388404d08bd89e271f5570

Download Submit
\Users\Admin\AppData\Local\Temp\kmqnvwtso.exe

Filesize
148KB

MD5
014a2943f1991ffdc86b423a97fc471e

SHA1
a7a0667632788a895b31f8a0a731e0dc2e0dd076

SHA256
de57839ddcc617f1a8ffbfe761c669e1b963b39673b102904e940697aea7a168

SHA512
2adfe9725b09ad1a30f909739808b1b98d9fad680b5590f28f0b47cfc5abeb50046449662c8b37ac799fb6643c4e72b0f41f1f3197388404d08bd89e271f5570

Download Submit
\Users\Admin\AppData\Local\Temp\kmqnvwtso.exe

Filesize
148KB

MD5
014a2943f1991ffdc86b423a97fc471e

SHA1
a7a0667632788a895b31f8a0a731e0dc2e0dd076

SHA256
de57839ddcc617f1a8ffbfe761c669e1b963b39673b102904e940697aea7a168

SHA512
2adfe9725b09ad1a30f909739808b1b98d9fad680b5590f28f0b47cfc5abeb50046449662c8b37ac799fb6643c4e72b0f41f1f3197388404d08bd89e271f5570

Download Submit
memory/832-63-0x000000000009F120-mapping.dmp

Download
memory/1600-56-0x0000000000000000-mapping.dmp

Download
memory/1632-54-0x0000000075BE1000-0x0000000075BE3000-memory.dmp

Filesize
8KB

Download
memory/1776-65-0x0000000000000000-mapping.dmp

Download