Analysis
-
max time kernel
203s -
max time network
218s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
23-11-2022 18:24
General
-
Target
52cc8b9da33ddd5746e47ccee7beb62bf48fbadbc10efb436ec82eee4db60336.exe
-
Size
901KB
-
MD5
025b64dd751bd9278d8005b18076bec8
-
SHA1
9526be88916f8713d5eb0699652b1ae49ebaf03a
-
SHA256
52cc8b9da33ddd5746e47ccee7beb62bf48fbadbc10efb436ec82eee4db60336
-
SHA512
42385631fa7fe25b25eae89dfdb012d249dda820c8bc0807d68b2a18c2fdba0f938c9c44854ac21a0539822f091ae4dcd443aa13dcbff5b0b0fc71451732ceba
-
SSDEEP
12288:xeXr/Cm+XQ9i8aMVkUet7EwBI+APuALDbFmZcZlyNGUO:xGr/Cm+X18zVkUetVI5uiDbFmZu4PO
Malware Config
Signatures
-
Modifies system executable filetype association 2 TTPs 1 IoCs
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
-
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops desktop.ini file(s) 48 IoCs
-
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file 1 TTPs 47 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory 3 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Modifies Control Panel 3 IoCs
-
Modifies registry class 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 36 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\52cc8b9da33ddd5746e47ccee7beb62bf48fbadbc10efb436ec82eee4db60336.exe"C:\Users\Admin\AppData\Local\Temp\52cc8b9da33ddd5746e47ccee7beb62bf48fbadbc10efb436ec82eee4db60336.exe"1⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\inf4D2.tmpC:\Users\Admin\AppData\Local\Temp\inf4D2.tmp2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 9162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4716 -ip 47161⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
380KB
MD56d778e0f95447e6546553eeea709d03c
SHA1811a005cf787c6ccbe0d9f1c36c1d49a9cb71fd1
SHA25662abed7d45040381bbced97ea7b6c697b418448fd3322fd4bfb2bbfdb6155eb4
SHA512a9401d8b077a48c0b6dd3443e62703d53513208f49d7b44d14f722f4c5400ffaca59582ca066d92d68a72aa96278bed1b2c5d8f1b85d5ef964d06e979a9ac09f
-
Filesize
380KB
MD56d778e0f95447e6546553eeea709d03c
SHA1811a005cf787c6ccbe0d9f1c36c1d49a9cb71fd1
SHA25662abed7d45040381bbced97ea7b6c697b418448fd3322fd4bfb2bbfdb6155eb4
SHA512a9401d8b077a48c0b6dd3443e62703d53513208f49d7b44d14f722f4c5400ffaca59582ca066d92d68a72aa96278bed1b2c5d8f1b85d5ef964d06e979a9ac09f
-