91b96e54f51d78226671a570632756cd8fc3fd6323743c028bd6d2fcf20d80ac

Analysis

max time kernel
45s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 21:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

91b96e54f51d78226671a570632756cd8fc3fd6323743c028bd6d2fcf20d80ac.exe
Size

287KB
MD5

53602ce749792a9f803274147a949d70
SHA1

cd819b4c4d1b31064b20799f7cea07a4ca0d4814
SHA256

91b96e54f51d78226671a570632756cd8fc3fd6323743c028bd6d2fcf20d80ac
SHA512

d65a948942596a6e517614c91bb25d2d07d15488059bd21188bf4cc24aedb0743a982f4e8a5f47e72027080c98d1986639361591b5ad8fd17fd3f640356ef51c
SSDEEP

6144:4WOBZbwUfuYZx+GcrcBS2YOsVy/cMIkT7b7F1Yw7Y/WTdMI:41Bn2+cI1sU/cMf3bpCeY+TmI

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

14.sfx.exe14.exe

pid process

520 14.sfx.exe
304 14.exe

pid	process
520	14.sfx.exe
304	14.exe

Loads dropped DLL 7 IoCs

Processes:

91b96e54f51d78226671a570632756cd8fc3fd6323743c028bd6d2fcf20d80ac.exe14.sfx.exeWerFault.exe

pid	process
896	91b96e54f51d78226671a570632756cd8fc3fd6323743c028bd6d2fcf20d80ac.exe
520	14.sfx.exe
520	14.sfx.exe
1448	WerFault.exe
1448	WerFault.exe
1448	WerFault.exe
1448	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1448 304 WerFault.exe 14.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

1764 DllHost.exe

pid	pid_target	process	target process
1448	304	WerFault.exe	14.exe

pid	process
1764	DllHost.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

91b96e54f51d78226671a570632756cd8fc3fd6323743c028bd6d2fcf20d80ac.exe14.sfx.exe14.exe

description	pid	process	target process
PID 896 wrote to memory of 520	896	91b96e54f51d78226671a570632756cd8fc3fd6323743c028bd6d2fcf20d80ac.exe	14.sfx.exe
PID 896 wrote to memory of 520	896	91b96e54f51d78226671a570632756cd8fc3fd6323743c028bd6d2fcf20d80ac.exe	14.sfx.exe
PID 896 wrote to memory of 520	896	91b96e54f51d78226671a570632756cd8fc3fd6323743c028bd6d2fcf20d80ac.exe	14.sfx.exe
PID 896 wrote to memory of 520	896	91b96e54f51d78226671a570632756cd8fc3fd6323743c028bd6d2fcf20d80ac.exe	14.sfx.exe
PID 520 wrote to memory of 304	520	14.sfx.exe	14.exe
PID 520 wrote to memory of 304	520	14.sfx.exe	14.exe
PID 520 wrote to memory of 304	520	14.sfx.exe	14.exe
PID 520 wrote to memory of 304	520	14.sfx.exe	14.exe
PID 304 wrote to memory of 1448	304	14.exe	WerFault.exe
PID 304 wrote to memory of 1448	304	14.exe	WerFault.exe
PID 304 wrote to memory of 1448	304	14.exe	WerFault.exe
PID 304 wrote to memory of 1448	304	14.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\91b96e54f51d78226671a570632756cd8fc3fd6323743c028bd6d2fcf20d80ac.exe
"C:\Users\Admin\AppData\Local\Temp\91b96e54f51d78226671a570632756cd8fc3fd6323743c028bd6d2fcf20d80ac.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:896

C:\Users\Admin\AppData\Local\Temp\RarSFX0\14.sfx.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\14.sfx.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:520

C:\Users\Admin\AppData\Local\Temp\RarSFX0\14.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\14.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 304 -s 36
4⤵
- Loads dropped DLL
- Program crash
PID:1448

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\14.exe

Filesize
126KB

MD5
961b371f4649ad9238a384d606180578

SHA1
6df912593c06715e967f382e332aeacad4a2b6ed

SHA256
a6a7c41e005fcaf924b3a17fafd7bafac1a1100d25de9f5362549d22d4695710

SHA512
ef7d070d4333d723466e646457d50b3099a09a96dd5332e0c685384da00fca0bbc272676aecca7bbc0047dc997127c14e38b47cbb6b819d80f91e26794cb6bde

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\14.sfx.exe

Filesize
221KB

MD5
f23322e75e68b78e0a60b7e292ccfd3a

SHA1
ed9948390f3167d105f03c6061f5c9a1407606db

SHA256
6a6d5a427301016fb92af28483ba01d268f590972a60e74d2fc34b72a66435cf

SHA512
de3f46793b98c80309922cc6aa6c8f098710c52c82197c8b6f983a766f54aea6cb0dea8d22e048654e0407f2280128136f3fb9884059196ac0239a973d4c39c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\14.sfx.exe

Filesize
221KB

MD5
f23322e75e68b78e0a60b7e292ccfd3a

SHA1
ed9948390f3167d105f03c6061f5c9a1407606db

SHA256
6a6d5a427301016fb92af28483ba01d268f590972a60e74d2fc34b72a66435cf

SHA512
de3f46793b98c80309922cc6aa6c8f098710c52c82197c8b6f983a766f54aea6cb0dea8d22e048654e0407f2280128136f3fb9884059196ac0239a973d4c39c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\photoimg436.qq.jpg

Filesize
16KB

MD5
69fc1c89dd06a6ef22c5abf7425c25a9

SHA1
d23e6fe37fc898193d38d734ba75cb884ade2cf9

SHA256
89aab43d88bfc4c0036f66738dfb5f3ade29f4833d4ae8855bd904b53231793d

SHA512
0526ba9ad0c4dbc809d9c4da945c284269acda6718577bd34b164d6a0692dfeeffe77c7d2895c5f3bea0eef5e322f05d902a2fd96cfae29eb7c8786deffa9e01

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\14.exe

Filesize
126KB

MD5
961b371f4649ad9238a384d606180578

SHA1
6df912593c06715e967f382e332aeacad4a2b6ed

SHA256
a6a7c41e005fcaf924b3a17fafd7bafac1a1100d25de9f5362549d22d4695710

SHA512
ef7d070d4333d723466e646457d50b3099a09a96dd5332e0c685384da00fca0bbc272676aecca7bbc0047dc997127c14e38b47cbb6b819d80f91e26794cb6bde

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\14.exe

Filesize
126KB

MD5
961b371f4649ad9238a384d606180578

SHA1
6df912593c06715e967f382e332aeacad4a2b6ed

SHA256
a6a7c41e005fcaf924b3a17fafd7bafac1a1100d25de9f5362549d22d4695710

SHA512
ef7d070d4333d723466e646457d50b3099a09a96dd5332e0c685384da00fca0bbc272676aecca7bbc0047dc997127c14e38b47cbb6b819d80f91e26794cb6bde

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\14.exe

Filesize
126KB

MD5
961b371f4649ad9238a384d606180578

SHA1
6df912593c06715e967f382e332aeacad4a2b6ed

SHA256
a6a7c41e005fcaf924b3a17fafd7bafac1a1100d25de9f5362549d22d4695710

SHA512
ef7d070d4333d723466e646457d50b3099a09a96dd5332e0c685384da00fca0bbc272676aecca7bbc0047dc997127c14e38b47cbb6b819d80f91e26794cb6bde

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\14.exe

Filesize
126KB

MD5
961b371f4649ad9238a384d606180578

SHA1
6df912593c06715e967f382e332aeacad4a2b6ed

SHA256
a6a7c41e005fcaf924b3a17fafd7bafac1a1100d25de9f5362549d22d4695710

SHA512
ef7d070d4333d723466e646457d50b3099a09a96dd5332e0c685384da00fca0bbc272676aecca7bbc0047dc997127c14e38b47cbb6b819d80f91e26794cb6bde

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\14.exe

Filesize
126KB

MD5
961b371f4649ad9238a384d606180578

SHA1
6df912593c06715e967f382e332aeacad4a2b6ed

SHA256
a6a7c41e005fcaf924b3a17fafd7bafac1a1100d25de9f5362549d22d4695710

SHA512
ef7d070d4333d723466e646457d50b3099a09a96dd5332e0c685384da00fca0bbc272676aecca7bbc0047dc997127c14e38b47cbb6b819d80f91e26794cb6bde

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\14.exe

Filesize
126KB

MD5
961b371f4649ad9238a384d606180578

SHA1
6df912593c06715e967f382e332aeacad4a2b6ed

SHA256
a6a7c41e005fcaf924b3a17fafd7bafac1a1100d25de9f5362549d22d4695710

SHA512
ef7d070d4333d723466e646457d50b3099a09a96dd5332e0c685384da00fca0bbc272676aecca7bbc0047dc997127c14e38b47cbb6b819d80f91e26794cb6bde

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\14.sfx.exe

Filesize
221KB

MD5
f23322e75e68b78e0a60b7e292ccfd3a

SHA1
ed9948390f3167d105f03c6061f5c9a1407606db

SHA256
6a6d5a427301016fb92af28483ba01d268f590972a60e74d2fc34b72a66435cf

SHA512
de3f46793b98c80309922cc6aa6c8f098710c52c82197c8b6f983a766f54aea6cb0dea8d22e048654e0407f2280128136f3fb9884059196ac0239a973d4c39c5

Download Submit
memory/304-63-0x0000000000000000-mapping.dmp

Download
memory/304-70-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/520-56-0x0000000000000000-mapping.dmp

Download
memory/896-54-0x0000000075F21000-0x0000000075F23000-memory.dmp

Filesize
8KB

Download
memory/1448-65-0x0000000000000000-mapping.dmp

Download