31d1abaf2a71b1db4d90b34699237ebbf6d983d3fd21d3435bc3b9494b773c17

Analysis

max time kernel
181s
max time network
225s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

1.2MB
MD5

55e6b02bacb96b3274c18ddfac22b158
SHA1

f9c8ab92109b19f6c75175dd29410a2577781d37
SHA256

31d1abaf2a71b1db4d90b34699237ebbf6d983d3fd21d3435bc3b9494b773c17
SHA512

9cd4c2a139a87c83d21ba4256a62d5ba87020931c558277affffe5fcecca97fdff7610cf884378c0889eb4698d3aa20854ffd5b2cccafca97fc333221694fdea
SSDEEP

12288:/bLbeaonsJ8vQ2bTgzwHJeTv4gyukOGKa43S6AdioOpsyj5rE/qYZKYf62JPkuJd:oyATWwpepuKa43lIioOpfUA6fJPvV

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

OWT.exe

pid process

1276 OWT.exe
Loads dropped DLL 6 IoCs

Processes:

cmd.exeWerFault.exe

pid process

1868 cmd.exe
1772 WerFault.exe
1772 WerFault.exe
1772 WerFault.exe
1772 WerFault.exe
1772 WerFault.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1772 1276 WerFault.exe OWT.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1472 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1932 timeout.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

file.exepowershell.exeOWT.exepowershell.exe

pid process

1688 file.exe
1908 powershell.exe
1276 OWT.exe
984 powershell.exe

pid	process
1276	OWT.exe

pid	process
1868	cmd.exe
1772	WerFault.exe
1772	WerFault.exe
1772	WerFault.exe
1772	WerFault.exe
1772	WerFault.exe

pid	pid_target	process	target process
1772	1276	WerFault.exe	OWT.exe

pid	process
1472	schtasks.exe

pid	process
1932	timeout.exe

pid	process
1688	file.exe
1908	powershell.exe
1276	OWT.exe
984	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

file.exepowershell.exeOWT.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1688	file.exe
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeDebugPrivilege	1276	OWT.exe
Token: SeDebugPrivilege	984	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

file.execmd.exeOWT.execmd.exe

description	pid	process	target process
PID 1688 wrote to memory of 1908	1688	file.exe	powershell.exe
PID 1688 wrote to memory of 1908	1688	file.exe	powershell.exe
PID 1688 wrote to memory of 1908	1688	file.exe	powershell.exe
PID 1688 wrote to memory of 1868	1688	file.exe	cmd.exe
PID 1688 wrote to memory of 1868	1688	file.exe	cmd.exe
PID 1688 wrote to memory of 1868	1688	file.exe	cmd.exe
PID 1868 wrote to memory of 1932	1868	cmd.exe	timeout.exe
PID 1868 wrote to memory of 1932	1868	cmd.exe	timeout.exe
PID 1868 wrote to memory of 1932	1868	cmd.exe	timeout.exe
PID 1868 wrote to memory of 1276	1868	cmd.exe	OWT.exe
PID 1868 wrote to memory of 1276	1868	cmd.exe	OWT.exe
PID 1868 wrote to memory of 1276	1868	cmd.exe	OWT.exe
PID 1276 wrote to memory of 984	1276	OWT.exe	powershell.exe
PID 1276 wrote to memory of 984	1276	OWT.exe	powershell.exe
PID 1276 wrote to memory of 984	1276	OWT.exe	powershell.exe
PID 1276 wrote to memory of 2032	1276	OWT.exe	cmd.exe
PID 1276 wrote to memory of 2032	1276	OWT.exe	cmd.exe
PID 1276 wrote to memory of 2032	1276	OWT.exe	cmd.exe
PID 2032 wrote to memory of 1472	2032	cmd.exe	schtasks.exe
PID 2032 wrote to memory of 1472	2032	cmd.exe	schtasks.exe
PID 2032 wrote to memory of 1472	2032	cmd.exe	schtasks.exe
PID 1276 wrote to memory of 1772	1276	OWT.exe	WerFault.exe
PID 1276 wrote to memory of 1772	1276	OWT.exe	WerFault.exe
PID 1276 wrote to memory of 1772	1276	OWT.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpBD57.tmp.bat""
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1868

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:1932

C:\ProgramData\winrar\OWT.exe
"C:\ProgramData\winrar\OWT.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1276

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:984

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "OWT" /tr "C:\ProgramData\winrar\OWT.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "OWT" /tr "C:\ProgramData\winrar\OWT.exe"
5⤵
- Creates scheduled task(s)
PID:1472

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1276 -s 1576
4⤵
- Loads dropped DLL
- Program crash
PID:1772

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\winrar\OWT.exe

Filesize
1.2MB

MD5
55e6b02bacb96b3274c18ddfac22b158

SHA1
f9c8ab92109b19f6c75175dd29410a2577781d37

SHA256
31d1abaf2a71b1db4d90b34699237ebbf6d983d3fd21d3435bc3b9494b773c17

SHA512
9cd4c2a139a87c83d21ba4256a62d5ba87020931c558277affffe5fcecca97fdff7610cf884378c0889eb4698d3aa20854ffd5b2cccafca97fc333221694fdea

Download Submit
C:\ProgramData\winrar\OWT.exe

Filesize
1.2MB

MD5
55e6b02bacb96b3274c18ddfac22b158

SHA1
f9c8ab92109b19f6c75175dd29410a2577781d37

SHA256
31d1abaf2a71b1db4d90b34699237ebbf6d983d3fd21d3435bc3b9494b773c17

SHA512
9cd4c2a139a87c83d21ba4256a62d5ba87020931c558277affffe5fcecca97fdff7610cf884378c0889eb4698d3aa20854ffd5b2cccafca97fc333221694fdea

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBD57.tmp.bat

Filesize
138B

MD5
8d343974ce413f3c568142587878c777

SHA1
fc196a458a25d75f8fb50811908a546026e397e0

SHA256
be7b0bf5cd543bd973ea83f6104c5894b2ada557019cb7734bee6bd2487b440c

SHA512
67c050b5226db35502a1c4502f6989389dcc08d0e5e2609b956f36c913cbc2a32f55daeb7dd352360c6d4b72f7294c630a55ebda6512edea62c17422d28e563d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
881ff5b7963c643e047832ad47d5cb6e

SHA1
68f9fb41b71d6c9546e1eb522cdaada792ec6089

SHA256
31a39a74cfeb74cbc7467687204179d9469cc5a5d7956fc08e055c1c5bbf20ca

SHA512
8c49be0b8a27ad6151cd1df7e556405e70c377be28f7588d99a1b5baed2d219c35c62c086df5663992914f43564b61753eb4faa814c34a327b2538542019cd63

Download Submit
\ProgramData\winrar\OWT.exe

Filesize
1.2MB

MD5
55e6b02bacb96b3274c18ddfac22b158

SHA1
f9c8ab92109b19f6c75175dd29410a2577781d37

SHA256
31d1abaf2a71b1db4d90b34699237ebbf6d983d3fd21d3435bc3b9494b773c17

SHA512
9cd4c2a139a87c83d21ba4256a62d5ba87020931c558277affffe5fcecca97fdff7610cf884378c0889eb4698d3aa20854ffd5b2cccafca97fc333221694fdea

Download Submit
\ProgramData\winrar\OWT.exe

Filesize
1.2MB

MD5
55e6b02bacb96b3274c18ddfac22b158

SHA1
f9c8ab92109b19f6c75175dd29410a2577781d37

SHA256
31d1abaf2a71b1db4d90b34699237ebbf6d983d3fd21d3435bc3b9494b773c17

SHA512
9cd4c2a139a87c83d21ba4256a62d5ba87020931c558277affffe5fcecca97fdff7610cf884378c0889eb4698d3aa20854ffd5b2cccafca97fc333221694fdea

Download Submit
\ProgramData\winrar\OWT.exe

Filesize
1.2MB

MD5
55e6b02bacb96b3274c18ddfac22b158

SHA1
f9c8ab92109b19f6c75175dd29410a2577781d37

SHA256
31d1abaf2a71b1db4d90b34699237ebbf6d983d3fd21d3435bc3b9494b773c17

SHA512
9cd4c2a139a87c83d21ba4256a62d5ba87020931c558277affffe5fcecca97fdff7610cf884378c0889eb4698d3aa20854ffd5b2cccafca97fc333221694fdea

Download Submit
\ProgramData\winrar\OWT.exe

Filesize
1.2MB

MD5
55e6b02bacb96b3274c18ddfac22b158

SHA1
f9c8ab92109b19f6c75175dd29410a2577781d37

SHA256
31d1abaf2a71b1db4d90b34699237ebbf6d983d3fd21d3435bc3b9494b773c17

SHA512
9cd4c2a139a87c83d21ba4256a62d5ba87020931c558277affffe5fcecca97fdff7610cf884378c0889eb4698d3aa20854ffd5b2cccafca97fc333221694fdea

Download Submit
\ProgramData\winrar\OWT.exe

Filesize
1.2MB

MD5
55e6b02bacb96b3274c18ddfac22b158

SHA1
f9c8ab92109b19f6c75175dd29410a2577781d37

SHA256
31d1abaf2a71b1db4d90b34699237ebbf6d983d3fd21d3435bc3b9494b773c17

SHA512
9cd4c2a139a87c83d21ba4256a62d5ba87020931c558277affffe5fcecca97fdff7610cf884378c0889eb4698d3aa20854ffd5b2cccafca97fc333221694fdea

Download Submit
\ProgramData\winrar\OWT.exe

Filesize
1.2MB

MD5
55e6b02bacb96b3274c18ddfac22b158

SHA1
f9c8ab92109b19f6c75175dd29410a2577781d37

SHA256
31d1abaf2a71b1db4d90b34699237ebbf6d983d3fd21d3435bc3b9494b773c17

SHA512
9cd4c2a139a87c83d21ba4256a62d5ba87020931c558277affffe5fcecca97fdff7610cf884378c0889eb4698d3aa20854ffd5b2cccafca97fc333221694fdea

Download Submit
memory/984-114-0x000000001B7C0000-0x000000001BABF000-memory.dmp

Filesize
3.0MB

Download
memory/984-112-0x000007FEEC7A0000-0x000007FEED2FD000-memory.dmp

Filesize
11.4MB

Download
memory/984-111-0x000007FEED300000-0x000007FEEDD23000-memory.dmp

Filesize
10.1MB

Download
memory/984-113-0x0000000002674000-0x0000000002677000-memory.dmp

Filesize
12KB

Download
memory/984-108-0x0000000000000000-mapping.dmp

Download
memory/984-120-0x0000000002674000-0x0000000002677000-memory.dmp

Filesize
12KB

Download
memory/984-122-0x0000000002674000-0x0000000002677000-memory.dmp

Filesize
12KB

Download
memory/984-123-0x000000000267B000-0x000000000269A000-memory.dmp

Filesize
124KB

Download
memory/1276-99-0x000007FEFE350000-0x000007FEFE42B000-memory.dmp

Filesize
876KB

Download
memory/1276-107-0x000007FEF6AB0000-0x000007FEF6BDC000-memory.dmp

Filesize
1.2MB

Download
memory/1276-135-0x000007FEFCC90000-0x000007FEFCCEB000-memory.dmp

Filesize
364KB

Download
memory/1276-134-0x000007FEFD970000-0x000007FEFD9A6000-memory.dmp

Filesize
216KB

Download
memory/1276-133-0x000007FEFB1C0000-0x000007FEFB1E7000-memory.dmp

Filesize
156KB

Download
memory/1276-132-0x000007FEFD440000-0x000007FEFD465000-memory.dmp

Filesize
148KB

Download
memory/1276-131-0x000007FEF9B30000-0x000007FEF9BA1000-memory.dmp

Filesize
452KB

Download
memory/1276-130-0x000007FEF9AC0000-0x000007FEF9B24000-memory.dmp

Filesize
400KB

Download
memory/1276-129-0x000007FEFE430000-0x000007FEFE47D000-memory.dmp

Filesize
308KB

Download
memory/1276-128-0x000007FEF1490000-0x000007FEF14F2000-memory.dmp

Filesize
392KB

Download
memory/1276-127-0x000007FEFB1A0000-0x000007FEFB1BC000-memory.dmp

Filesize
112KB

Download
memory/1276-126-0x000007FEFCE70000-0x000007FEFCE87000-memory.dmp

Filesize
92KB

Download
memory/1276-125-0x000007FEFCFC0000-0x000007FEFCFE2000-memory.dmp

Filesize
136KB

Download
memory/1276-124-0x000007FEFE860000-0x000007FEFE87F000-memory.dmp

Filesize
124KB

Download
memory/1276-86-0x0000000000000000-mapping.dmp

Download
memory/1276-121-0x000007FEFDB10000-0x000007FEFDBE7000-memory.dmp

Filesize
860KB

Download
memory/1276-90-0x000007FEF6F50000-0x000007FEF6FBF000-memory.dmp

Filesize
444KB

Download
memory/1276-91-0x000007FEF6EB0000-0x000007FEF6F4C000-memory.dmp

Filesize
624KB

Download
memory/1276-92-0x000007FEFDBF0000-0x000007FEFDC57000-memory.dmp

Filesize
412KB

Download
memory/1276-93-0x0000000077730000-0x000000007782A000-memory.dmp

Filesize
1000KB

Download
memory/1276-94-0x000007FEFE2A0000-0x000007FEFE33F000-memory.dmp

Filesize
636KB

Download
memory/1276-96-0x000007FEFD690000-0x000007FEFD6FC000-memory.dmp

Filesize
432KB

Download
memory/1276-95-0x0000000077610000-0x000000007772F000-memory.dmp

Filesize
1.1MB

Download
memory/1276-97-0x000007FEFDF70000-0x000007FEFDFE1000-memory.dmp

Filesize
452KB

Download
memory/1276-117-0x000007FEFBB40000-0x000007FEFBD55000-memory.dmp

Filesize
2.1MB

Download
memory/1276-98-0x000007FEF6BE0000-0x000007FEF6CD7000-memory.dmp

Filesize
988KB

Download
memory/1276-100-0x000007FEF55C0000-0x000007FEF5FAC000-memory.dmp

Filesize
9.9MB

Download
memory/1276-101-0x000007FEFE480000-0x000007FEFE5AD000-memory.dmp

Filesize
1.2MB

Download
memory/1276-103-0x000007FEFF930000-0x000007FEFFB33000-memory.dmp

Filesize
2.0MB

Download
memory/1276-102-0x0000000000DD0000-0x0000000000F6E000-memory.dmp

Filesize
1.6MB

Download
memory/1276-104-0x00000000005E0000-0x0000000000623000-memory.dmp

Filesize
268KB

Download
memory/1276-105-0x0000000000DD0000-0x0000000000F6E000-memory.dmp

Filesize
1.6MB

Download
memory/1276-106-0x0000000000DD0000-0x0000000000F6E000-memory.dmp

Filesize
1.6MB

Download
memory/1276-119-0x0000000000DD0000-0x0000000000F6E000-memory.dmp

Filesize
1.6MB

Download
memory/1472-118-0x0000000000000000-mapping.dmp

Download
memory/1688-63-0x000007FEFD690000-0x000007FEFD6FC000-memory.dmp

Filesize
432KB

Download
memory/1688-58-0x000007FEF6F20000-0x000007FEF6FBC000-memory.dmp

Filesize
624KB

Download
memory/1688-62-0x0000000077610000-0x000000007772F000-memory.dmp

Filesize
1.1MB

Download
memory/1688-65-0x000007FEF6E20000-0x000007FEF6F17000-memory.dmp

Filesize
988KB

Download
memory/1688-57-0x0000000000410000-0x0000000000453000-memory.dmp

Filesize
268KB

Download
memory/1688-68-0x000007FEFE480000-0x000007FEFE5AD000-memory.dmp

Filesize
1.2MB

Download
memory/1688-70-0x0000000000100000-0x000000000029E000-memory.dmp

Filesize
1.6MB

Download
memory/1688-64-0x000007FEFDF70000-0x000007FEFDFE1000-memory.dmp

Filesize
452KB

Download
memory/1688-61-0x000007FEFE2A0000-0x000007FEFE33F000-memory.dmp

Filesize
636KB

Download
memory/1688-75-0x000007FEFE860000-0x000007FEFE87F000-memory.dmp

Filesize
124KB

Download
memory/1688-78-0x0000000000100000-0x000000000029E000-memory.dmp

Filesize
1.6MB

Download
memory/1688-66-0x000007FEFE350000-0x000007FEFE42B000-memory.dmp

Filesize
876KB

Download
memory/1688-56-0x0000000000100000-0x000000000029E000-memory.dmp

Filesize
1.6MB

Download
memory/1688-71-0x000007FEF6BB0000-0x000007FEF6CDC000-memory.dmp

Filesize
1.2MB

Download
memory/1688-55-0x000007FEFAB50000-0x000007FEFABBF000-memory.dmp

Filesize
444KB

Download
memory/1688-69-0x000007FEFF930000-0x000007FEFFB33000-memory.dmp

Filesize
2.0MB

Download
memory/1688-67-0x000007FEF5FB0000-0x000007FEF699C000-memory.dmp

Filesize
9.9MB

Download
memory/1688-59-0x000007FEFDBF0000-0x000007FEFDC57000-memory.dmp

Filesize
412KB

Download
memory/1688-60-0x0000000077730000-0x000000007782A000-memory.dmp

Filesize
1000KB

Download
memory/1688-79-0x0000000000410000-0x0000000000453000-memory.dmp

Filesize
268KB

Download
memory/1772-137-0x0000000000000000-mapping.dmp

Download
memory/1868-74-0x0000000000000000-mapping.dmp

Download
memory/1908-84-0x000000000230B000-0x000000000232A000-memory.dmp

Filesize
124KB

Download
memory/1908-73-0x000007FEFC0B1000-0x000007FEFC0B3000-memory.dmp

Filesize
8KB

Download
memory/1908-80-0x000007FEEDCA0000-0x000007FEEE6C3000-memory.dmp

Filesize
10.1MB

Download
memory/1908-82-0x0000000002304000-0x0000000002307000-memory.dmp

Filesize
12KB

Download
memory/1908-81-0x000007FEF5E40000-0x000007FEF699D000-memory.dmp

Filesize
11.4MB

Download
memory/1908-83-0x0000000002304000-0x0000000002307000-memory.dmp

Filesize
12KB

Download
memory/1908-72-0x0000000000000000-mapping.dmp

Download
memory/1932-77-0x0000000000000000-mapping.dmp

Download
memory/2032-116-0x0000000000000000-mapping.dmp

Download