57a049e4822fcf7f1732c25ae3e0096e573066331716d81e4035da3667d565bb

Analysis

max time kernel
42s
max time network
30s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 14:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

jetsoff6543.exe
Size

214KB
MD5

3052597dc463bafa0c102a204dbf58fc
SHA1

bc083a8e34abfc24ea8b94b1325354ea2f4a08bb
SHA256

84a150ec171d193dbd5738ade685f3225716b6945e59625ce458f0a9069860b8
SHA512

9925797cf5061017bcfbf37ab968c0ddeda7e7abd6d2db8abb62aeb6ca0a711672b1cfd9c8a3ef7af07cedc9b7a4d8d0071a2371caabaacd9323d270ab6d4246
SSDEEP

6144:qweEpoJiPJhQxjr858KG3NLsJrdtvUlAg:boJi0xnYUaJpx5g

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

qfaeenx.exeqfaeenx.exe

pid process

2016 qfaeenx.exe
1012 qfaeenx.exe
Loads dropped DLL 5 IoCs

Processes:

jetsoff6543.exeqfaeenx.exeWerFault.exe

pid process

2000 jetsoff6543.exe
2016 qfaeenx.exe
676 WerFault.exe
676 WerFault.exe
676 WerFault.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

qfaeenx.exe

description pid process target process

PID 2016 set thread context of 1012 2016 qfaeenx.exe qfaeenx.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

676 1012 WerFault.exe qfaeenx.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

qfaeenx.exe

pid process

2016 qfaeenx.exe
2016 qfaeenx.exe

pid	process
2016	qfaeenx.exe
1012	qfaeenx.exe

pid	process
2000	jetsoff6543.exe
2016	qfaeenx.exe
676	WerFault.exe
676	WerFault.exe
676	WerFault.exe

description	pid	process	target process
PID 2016 set thread context of 1012	2016	qfaeenx.exe	qfaeenx.exe

pid	pid_target	process	target process
676	1012	WerFault.exe	qfaeenx.exe

pid	process
2016	qfaeenx.exe
2016	qfaeenx.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

jetsoff6543.exeqfaeenx.exeqfaeenx.exe

description	pid	process	target process
PID 2000 wrote to memory of 2016	2000	jetsoff6543.exe	qfaeenx.exe
PID 2000 wrote to memory of 2016	2000	jetsoff6543.exe	qfaeenx.exe
PID 2000 wrote to memory of 2016	2000	jetsoff6543.exe	qfaeenx.exe
PID 2000 wrote to memory of 2016	2000	jetsoff6543.exe	qfaeenx.exe
PID 2016 wrote to memory of 1012	2016	qfaeenx.exe	qfaeenx.exe
PID 2016 wrote to memory of 1012	2016	qfaeenx.exe	qfaeenx.exe
PID 2016 wrote to memory of 1012	2016	qfaeenx.exe	qfaeenx.exe
PID 2016 wrote to memory of 1012	2016	qfaeenx.exe	qfaeenx.exe
PID 2016 wrote to memory of 1012	2016	qfaeenx.exe	qfaeenx.exe
PID 1012 wrote to memory of 676	1012	qfaeenx.exe	WerFault.exe
PID 1012 wrote to memory of 676	1012	qfaeenx.exe	WerFault.exe
PID 1012 wrote to memory of 676	1012	qfaeenx.exe	WerFault.exe
PID 1012 wrote to memory of 676	1012	qfaeenx.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\jetsoff6543.exe
"C:\Users\Admin\AppData\Local\Temp\jetsoff6543.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2000

C:\Users\Admin\AppData\Local\Temp\qfaeenx.exe
"C:\Users\Admin\AppData\Local\Temp\qfaeenx.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2016

C:\Users\Admin\AppData\Local\Temp\qfaeenx.exe
"C:\Users\Admin\AppData\Local\Temp\qfaeenx.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1012 -s 36
4⤵
- Loads dropped DLL
- Program crash
PID:676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\qfaeenx.exe

Filesize
8KB

MD5
1c76048e3b5258e026fd31e7d3cc1530

SHA1
25bef57a5eda44f8bd59e6aecd7cf8f681bc66b8

SHA256
a067079fe15e9c86bea9eaa38a258d77129195eb585e17e90ff01bf981b9d3ac

SHA512
fb1f76d24fd2800348b7b179beb06728a30e7142c13feb55174a99414a435d4200483b255773befcad22e1fbbb180b0cf52e0f7e9160df8cb0084614cd7df2cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\qfaeenx.exe

Filesize
8KB

MD5
1c76048e3b5258e026fd31e7d3cc1530

SHA1
25bef57a5eda44f8bd59e6aecd7cf8f681bc66b8

SHA256
a067079fe15e9c86bea9eaa38a258d77129195eb585e17e90ff01bf981b9d3ac

SHA512
fb1f76d24fd2800348b7b179beb06728a30e7142c13feb55174a99414a435d4200483b255773befcad22e1fbbb180b0cf52e0f7e9160df8cb0084614cd7df2cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\qfaeenx.exe

Filesize
8KB

MD5
1c76048e3b5258e026fd31e7d3cc1530

SHA1
25bef57a5eda44f8bd59e6aecd7cf8f681bc66b8

SHA256
a067079fe15e9c86bea9eaa38a258d77129195eb585e17e90ff01bf981b9d3ac

SHA512
fb1f76d24fd2800348b7b179beb06728a30e7142c13feb55174a99414a435d4200483b255773befcad22e1fbbb180b0cf52e0f7e9160df8cb0084614cd7df2cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\wygurjb.z

Filesize
185KB

MD5
9474ef9cd3b0e642db9b2eb53949a6ad

SHA1
cf0d057435c123e0cebe651907365a6d56c3f328

SHA256
fe8c90ecfacda561029d39d7356811db9df051e0edecc01e845a5da6396d836c

SHA512
e9aed14f30fbfb904289f89f16243906381718a5fcddb67b4d9ba3b3713cb49495dafa6834290787d96b3b83e8c56a649132042916300b5bbb58429479dbffcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\xtmqeadsglh.m

Filesize
5KB

MD5
fa296506bdb3a5f9aefa7144420a40a1

SHA1
010f9af53e8030a4586fa038c847432e5639dcbd

SHA256
bc8ab2be1593c8888b52515ad970855a40ed469138f34b5b4e17998f9682ba43

SHA512
441941fd51f1be98c37cb169f86d8c82f2ab17cdfacb7bcd728becf80974796e37720cffc71c9052cc36618d11401aa928c39e9e9e266d17e148044a6d5bb331

Download Submit
\Users\Admin\AppData\Local\Temp\qfaeenx.exe

Filesize
8KB

MD5
1c76048e3b5258e026fd31e7d3cc1530

SHA1
25bef57a5eda44f8bd59e6aecd7cf8f681bc66b8

SHA256
a067079fe15e9c86bea9eaa38a258d77129195eb585e17e90ff01bf981b9d3ac

SHA512
fb1f76d24fd2800348b7b179beb06728a30e7142c13feb55174a99414a435d4200483b255773befcad22e1fbbb180b0cf52e0f7e9160df8cb0084614cd7df2cf

Download Submit
\Users\Admin\AppData\Local\Temp\qfaeenx.exe

Filesize
8KB

MD5
1c76048e3b5258e026fd31e7d3cc1530

SHA1
25bef57a5eda44f8bd59e6aecd7cf8f681bc66b8

SHA256
a067079fe15e9c86bea9eaa38a258d77129195eb585e17e90ff01bf981b9d3ac

SHA512
fb1f76d24fd2800348b7b179beb06728a30e7142c13feb55174a99414a435d4200483b255773befcad22e1fbbb180b0cf52e0f7e9160df8cb0084614cd7df2cf

Download Submit
\Users\Admin\AppData\Local\Temp\qfaeenx.exe

Filesize
8KB

MD5
1c76048e3b5258e026fd31e7d3cc1530

SHA1
25bef57a5eda44f8bd59e6aecd7cf8f681bc66b8

SHA256
a067079fe15e9c86bea9eaa38a258d77129195eb585e17e90ff01bf981b9d3ac

SHA512
fb1f76d24fd2800348b7b179beb06728a30e7142c13feb55174a99414a435d4200483b255773befcad22e1fbbb180b0cf52e0f7e9160df8cb0084614cd7df2cf

Download Submit
\Users\Admin\AppData\Local\Temp\qfaeenx.exe

Filesize
8KB

MD5
1c76048e3b5258e026fd31e7d3cc1530

SHA1
25bef57a5eda44f8bd59e6aecd7cf8f681bc66b8

SHA256
a067079fe15e9c86bea9eaa38a258d77129195eb585e17e90ff01bf981b9d3ac

SHA512
fb1f76d24fd2800348b7b179beb06728a30e7142c13feb55174a99414a435d4200483b255773befcad22e1fbbb180b0cf52e0f7e9160df8cb0084614cd7df2cf

Download Submit
\Users\Admin\AppData\Local\Temp\qfaeenx.exe

Filesize
8KB

MD5
1c76048e3b5258e026fd31e7d3cc1530

SHA1
25bef57a5eda44f8bd59e6aecd7cf8f681bc66b8

SHA256
a067079fe15e9c86bea9eaa38a258d77129195eb585e17e90ff01bf981b9d3ac

SHA512
fb1f76d24fd2800348b7b179beb06728a30e7142c13feb55174a99414a435d4200483b255773befcad22e1fbbb180b0cf52e0f7e9160df8cb0084614cd7df2cf

Download Submit
memory/676-64-0x0000000000000000-mapping.dmp

Download
memory/1012-62-0x000000000009F120-mapping.dmp

Download
memory/2000-54-0x00000000767F1000-0x00000000767F3000-memory.dmp

Filesize
8KB

Download
memory/2016-56-0x0000000000000000-mapping.dmp

Download