f108dd568dcb4f08c5986c31eaac74e41cb59bc69db87d17a1033016308beed5

Analysis

max time kernel
82s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 00:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

1.4MB
MD5

df86d605b3aa3dd86b70cfc103622143
SHA1

d300bf3bd1abbf0e87a3c5c0a565e472a00b83e3
SHA256

f108dd568dcb4f08c5986c31eaac74e41cb59bc69db87d17a1033016308beed5
SHA512

695209126e7a814286375a257b8585dd0bcc097d3a2a895ab1ece2c7d3700bbc6c5d5a0679dec5094a7453ad1ee3fd7a0285cb5adbf874d6afeab121b6f3ae60
SSDEEP

24576:Mf8GBTvwpet3j9gkEubdiHn/cVo8qBWkaQFX2l:Mf8GBTopeN9PwES8izFGl

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

OWT.exe

pid process

1060 OWT.exe
Loads dropped DLL 6 IoCs

Processes:

cmd.exeWerFault.exe

pid process

1864 cmd.exe
1020 WerFault.exe
1020 WerFault.exe
1020 WerFault.exe
1020 WerFault.exe
1020 WerFault.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1020 1060 WerFault.exe OWT.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1956 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1392 timeout.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

file.exepowershell.exeOWT.exepowershell.exe

pid process

944 file.exe
1532 powershell.exe
1060 OWT.exe
1428 powershell.exe

pid	process
1060	OWT.exe

pid	process
1864	cmd.exe
1020	WerFault.exe
1020	WerFault.exe
1020	WerFault.exe
1020	WerFault.exe
1020	WerFault.exe

pid	pid_target	process	target process
1020	1060	WerFault.exe	OWT.exe

pid	process
1956	schtasks.exe

pid	process
1392	timeout.exe

pid	process
944	file.exe
1532	powershell.exe
1060	OWT.exe
1428	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

file.exepowershell.exeOWT.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	944	file.exe
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeDebugPrivilege	1060	OWT.exe
Token: SeDebugPrivilege	1428	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

file.execmd.exeOWT.execmd.exe

description	pid	process	target process
PID 944 wrote to memory of 1532	944	file.exe	powershell.exe
PID 944 wrote to memory of 1532	944	file.exe	powershell.exe
PID 944 wrote to memory of 1532	944	file.exe	powershell.exe
PID 944 wrote to memory of 1864	944	file.exe	cmd.exe
PID 944 wrote to memory of 1864	944	file.exe	cmd.exe
PID 944 wrote to memory of 1864	944	file.exe	cmd.exe
PID 1864 wrote to memory of 1392	1864	cmd.exe	timeout.exe
PID 1864 wrote to memory of 1392	1864	cmd.exe	timeout.exe
PID 1864 wrote to memory of 1392	1864	cmd.exe	timeout.exe
PID 1864 wrote to memory of 1060	1864	cmd.exe	OWT.exe
PID 1864 wrote to memory of 1060	1864	cmd.exe	OWT.exe
PID 1864 wrote to memory of 1060	1864	cmd.exe	OWT.exe
PID 1060 wrote to memory of 1428	1060	OWT.exe	powershell.exe
PID 1060 wrote to memory of 1428	1060	OWT.exe	powershell.exe
PID 1060 wrote to memory of 1428	1060	OWT.exe	powershell.exe
PID 1060 wrote to memory of 1144	1060	OWT.exe	cmd.exe
PID 1060 wrote to memory of 1144	1060	OWT.exe	cmd.exe
PID 1060 wrote to memory of 1144	1060	OWT.exe	cmd.exe
PID 1144 wrote to memory of 1956	1144	cmd.exe	schtasks.exe
PID 1144 wrote to memory of 1956	1144	cmd.exe	schtasks.exe
PID 1144 wrote to memory of 1956	1144	cmd.exe	schtasks.exe
PID 1060 wrote to memory of 1020	1060	OWT.exe	WerFault.exe
PID 1060 wrote to memory of 1020	1060	OWT.exe	WerFault.exe
PID 1060 wrote to memory of 1020	1060	OWT.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:944

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1532

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpB443.tmp.bat""
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1864

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:1392

C:\ProgramData\winrar\OWT.exe
"C:\ProgramData\winrar\OWT.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1060

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1428

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "OWT" /tr "C:\ProgramData\winrar\OWT.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1144

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "OWT" /tr "C:\ProgramData\winrar\OWT.exe"
5⤵
- Creates scheduled task(s)
PID:1956

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1060 -s 764
4⤵
- Loads dropped DLL
- Program crash
PID:1020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\winrar\OWT.exe

Filesize
1.4MB

MD5
df86d605b3aa3dd86b70cfc103622143

SHA1
d300bf3bd1abbf0e87a3c5c0a565e472a00b83e3

SHA256
f108dd568dcb4f08c5986c31eaac74e41cb59bc69db87d17a1033016308beed5

SHA512
695209126e7a814286375a257b8585dd0bcc097d3a2a895ab1ece2c7d3700bbc6c5d5a0679dec5094a7453ad1ee3fd7a0285cb5adbf874d6afeab121b6f3ae60

Download Submit
C:\ProgramData\winrar\OWT.exe

Filesize
1.4MB

MD5
df86d605b3aa3dd86b70cfc103622143

SHA1
d300bf3bd1abbf0e87a3c5c0a565e472a00b83e3

SHA256
f108dd568dcb4f08c5986c31eaac74e41cb59bc69db87d17a1033016308beed5

SHA512
695209126e7a814286375a257b8585dd0bcc097d3a2a895ab1ece2c7d3700bbc6c5d5a0679dec5094a7453ad1ee3fd7a0285cb5adbf874d6afeab121b6f3ae60

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB443.tmp.bat

Filesize
138B

MD5
ba18fec91b710ef0df2ed2acfc13a4e1

SHA1
c7f5a6ec49f04a849b38701ba17e0f5a63d89929

SHA256
6ff7fbdcafa7969034f0b0fc87479ab68e8b021c509ab41ecc37bb8c2eae000c

SHA512
74ffee2e4b38a2690f8a959a114620e3307422ec3dc93a04630f4d453f98dfe86bb1dc33ae4401adcf5b4c7eca79a11a4876595d988b23af6ac5cd33e8c33d7e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2601cd38d11871c4f51b5d51463d74bd

SHA1
957f16796d5cda574bf32a282d4672edb923fdd1

SHA256
5e7eac78d6123f2c6c7f143ccb8314f2a3a1727e36dbb214df25e5f05f60ee71

SHA512
97c2399c76d0df9b7a667c27b5e1f351fa1855e02cc9e1838290f78952a56f1473e8e79ad3864a0df8cfcab27969a7b92e5403cc59e8f9151de631799f59361c

Download Submit
\ProgramData\winrar\OWT.exe

Filesize
1.4MB

MD5
df86d605b3aa3dd86b70cfc103622143

SHA1
d300bf3bd1abbf0e87a3c5c0a565e472a00b83e3

SHA256
f108dd568dcb4f08c5986c31eaac74e41cb59bc69db87d17a1033016308beed5

SHA512
695209126e7a814286375a257b8585dd0bcc097d3a2a895ab1ece2c7d3700bbc6c5d5a0679dec5094a7453ad1ee3fd7a0285cb5adbf874d6afeab121b6f3ae60

Download Submit
\ProgramData\winrar\OWT.exe

Filesize
1.4MB

MD5
df86d605b3aa3dd86b70cfc103622143

SHA1
d300bf3bd1abbf0e87a3c5c0a565e472a00b83e3

SHA256
f108dd568dcb4f08c5986c31eaac74e41cb59bc69db87d17a1033016308beed5

SHA512
695209126e7a814286375a257b8585dd0bcc097d3a2a895ab1ece2c7d3700bbc6c5d5a0679dec5094a7453ad1ee3fd7a0285cb5adbf874d6afeab121b6f3ae60

Download Submit
\ProgramData\winrar\OWT.exe

Filesize
1.4MB

MD5
df86d605b3aa3dd86b70cfc103622143

SHA1
d300bf3bd1abbf0e87a3c5c0a565e472a00b83e3

SHA256
f108dd568dcb4f08c5986c31eaac74e41cb59bc69db87d17a1033016308beed5

SHA512
695209126e7a814286375a257b8585dd0bcc097d3a2a895ab1ece2c7d3700bbc6c5d5a0679dec5094a7453ad1ee3fd7a0285cb5adbf874d6afeab121b6f3ae60

Download Submit
\ProgramData\winrar\OWT.exe

Filesize
1.4MB

MD5
df86d605b3aa3dd86b70cfc103622143

SHA1
d300bf3bd1abbf0e87a3c5c0a565e472a00b83e3

SHA256
f108dd568dcb4f08c5986c31eaac74e41cb59bc69db87d17a1033016308beed5

SHA512
695209126e7a814286375a257b8585dd0bcc097d3a2a895ab1ece2c7d3700bbc6c5d5a0679dec5094a7453ad1ee3fd7a0285cb5adbf874d6afeab121b6f3ae60

Download Submit
\ProgramData\winrar\OWT.exe

Filesize
1.4MB

MD5
df86d605b3aa3dd86b70cfc103622143

SHA1
d300bf3bd1abbf0e87a3c5c0a565e472a00b83e3

SHA256
f108dd568dcb4f08c5986c31eaac74e41cb59bc69db87d17a1033016308beed5

SHA512
695209126e7a814286375a257b8585dd0bcc097d3a2a895ab1ece2c7d3700bbc6c5d5a0679dec5094a7453ad1ee3fd7a0285cb5adbf874d6afeab121b6f3ae60

Download Submit
\ProgramData\winrar\OWT.exe

Filesize
1.4MB

MD5
df86d605b3aa3dd86b70cfc103622143

SHA1
d300bf3bd1abbf0e87a3c5c0a565e472a00b83e3

SHA256
f108dd568dcb4f08c5986c31eaac74e41cb59bc69db87d17a1033016308beed5

SHA512
695209126e7a814286375a257b8585dd0bcc097d3a2a895ab1ece2c7d3700bbc6c5d5a0679dec5094a7453ad1ee3fd7a0285cb5adbf874d6afeab121b6f3ae60

Download Submit
memory/944-70-0x0000000000E70000-0x0000000001044000-memory.dmp

Filesize
1.8MB

Download
memory/944-55-0x000007FEF6150000-0x000007FEF61BF000-memory.dmp

Filesize
444KB

Download
memory/944-68-0x000007FEFEF30000-0x000007FEFF05D000-memory.dmp

Filesize
1.2MB

Download
memory/944-69-0x000007FEFE750000-0x000007FEFE953000-memory.dmp

Filesize
2.0MB

Download
memory/944-66-0x000007FEFD530000-0x000007FEFD60B000-memory.dmp

Filesize
876KB

Download
memory/944-71-0x000007FEF3800000-0x000007FEF392C000-memory.dmp

Filesize
1.2MB

Download
memory/944-64-0x000007FEFEC10000-0x000007FEFEC81000-memory.dmp

Filesize
452KB

Download
memory/944-63-0x000007FEFD020000-0x000007FEFD08C000-memory.dmp

Filesize
432KB

Download
memory/944-62-0x0000000076DB0000-0x0000000076ECF000-memory.dmp

Filesize
1.1MB

Download
memory/944-67-0x000007FEF4FC0000-0x000007FEF59AC000-memory.dmp

Filesize
9.9MB

Download
memory/944-61-0x000007FEFD610000-0x000007FEFD6AF000-memory.dmp

Filesize
636KB

Download
memory/944-78-0x000007FEFEC90000-0x000007FEFECAF000-memory.dmp

Filesize
124KB

Download
memory/944-79-0x0000000000E70000-0x0000000001044000-memory.dmp

Filesize
1.8MB

Download
memory/944-80-0x0000000000070000-0x00000000000B3000-memory.dmp

Filesize
268KB

Download
memory/944-60-0x0000000076CB0000-0x0000000076DAA000-memory.dmp

Filesize
1000KB

Download
memory/944-59-0x000007FEFD490000-0x000007FEFD4F7000-memory.dmp

Filesize
412KB

Download
memory/944-56-0x000007FEF60B0000-0x000007FEF614C000-memory.dmp

Filesize
624KB

Download
memory/944-58-0x0000000000070000-0x00000000000B3000-memory.dmp

Filesize
268KB

Download
memory/944-57-0x0000000000E70000-0x0000000001044000-memory.dmp

Filesize
1.8MB

Download
memory/1020-125-0x0000000000000000-mapping.dmp

Download
memory/1060-85-0x0000000000000000-mapping.dmp

Download
memory/1060-123-0x0000000001030000-0x0000000001204000-memory.dmp

Filesize
1.8MB

Download
memory/1060-122-0x0000000000480000-0x00000000004C3000-memory.dmp

Filesize
268KB

Download
memory/1060-92-0x000007FEF60B0000-0x000007FEF614C000-memory.dmp

Filesize
624KB

Download
memory/1060-119-0x000007FEFE670000-0x000007FEFE747000-memory.dmp

Filesize
860KB

Download
memory/1060-90-0x000007FEF6150000-0x000007FEF61BF000-memory.dmp

Filesize
444KB

Download
memory/1060-93-0x000007FEFD490000-0x000007FEFD4F7000-memory.dmp

Filesize
412KB

Download
memory/1060-96-0x0000000076DB0000-0x0000000076ECF000-memory.dmp

Filesize
1.1MB

Download
memory/1060-95-0x000007FEFD610000-0x000007FEFD6AF000-memory.dmp

Filesize
636KB

Download
memory/1060-94-0x0000000076CB0000-0x0000000076DAA000-memory.dmp

Filesize
1000KB

Download
memory/1060-98-0x000007FEFEC10000-0x000007FEFEC81000-memory.dmp

Filesize
452KB

Download
memory/1060-97-0x000007FEFD020000-0x000007FEFD08C000-memory.dmp

Filesize
432KB

Download
memory/1060-102-0x0000000001030000-0x0000000001204000-memory.dmp

Filesize
1.8MB

Download
memory/1060-101-0x000007FEFD530000-0x000007FEFD60B000-memory.dmp

Filesize
876KB

Download
memory/1060-99-0x0000000000480000-0x00000000004C3000-memory.dmp

Filesize
268KB

Download
memory/1060-103-0x000007FEF45D0000-0x000007FEF4FBC000-memory.dmp

Filesize
9.9MB

Download
memory/1060-105-0x000007FEFE750000-0x000007FEFE953000-memory.dmp

Filesize
2.0MB

Download
memory/1060-104-0x000007FEFEF30000-0x000007FEFF05D000-memory.dmp

Filesize
1.2MB

Download
memory/1060-106-0x0000000001030000-0x0000000001204000-memory.dmp

Filesize
1.8MB

Download
memory/1060-118-0x000007FEFB1E0000-0x000007FEFB3F5000-memory.dmp

Filesize
2.1MB

Download
memory/1144-116-0x0000000000000000-mapping.dmp

Download
memory/1392-77-0x0000000000000000-mapping.dmp

Download
memory/1428-111-0x000007FEEBFF0000-0x000007FEECA13000-memory.dmp

Filesize
10.1MB

Download
memory/1428-121-0x000000000283B000-0x000000000285A000-memory.dmp

Filesize
124KB

Download
memory/1428-112-0x000007FEEB490000-0x000007FEEBFED000-memory.dmp

Filesize
11.4MB

Download
memory/1428-114-0x0000000002834000-0x0000000002837000-memory.dmp

Filesize
12KB

Download
memory/1428-113-0x000000001B6F0000-0x000000001B9EF000-memory.dmp

Filesize
3.0MB

Download
memory/1428-108-0x0000000000000000-mapping.dmp

Download
memory/1428-120-0x0000000002834000-0x0000000002837000-memory.dmp

Filesize
12KB

Download
memory/1532-89-0x0000000002724000-0x0000000002727000-memory.dmp

Filesize
12KB

Download
memory/1532-91-0x000000000272B000-0x000000000274A000-memory.dmp

Filesize
124KB

Download
memory/1532-83-0x000000000272B000-0x000000000274A000-memory.dmp

Filesize
124KB

Download
memory/1532-82-0x0000000002724000-0x0000000002727000-memory.dmp

Filesize
12KB

Download
memory/1532-81-0x000007FEF4E50000-0x000007FEF59AD000-memory.dmp

Filesize
11.4MB

Download
memory/1532-74-0x000007FEEC060000-0x000007FEECA83000-memory.dmp

Filesize
10.1MB

Download
memory/1532-73-0x000007FEFB751000-0x000007FEFB753000-memory.dmp

Filesize
8KB

Download
memory/1532-72-0x0000000000000000-mapping.dmp

Download
memory/1864-75-0x0000000000000000-mapping.dmp

Download
memory/1956-117-0x0000000000000000-mapping.dmp

Download