f4fcbc524c30e4469464eb1c5641577b1042bd6fb5f44835731a3ee156d29c27

Resubmissions

26-11-2022 08:19

221126-j7yhtaed66 10

25-11-2022 12:27

221125-pmxnnsbe8t 8

24-11-2022 09:51

221124-lvp21seh53 10

24-11-2022 09:44

221124-lqgvvahf3x 10

Analysis

max time kernel
57s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 09:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

1.4MB
MD5

073a3dc0c60492b618f888c5e603fd05
SHA1

4de52c57f8f032724452e901120bcf0fbee52902
SHA256

f4fcbc524c30e4469464eb1c5641577b1042bd6fb5f44835731a3ee156d29c27
SHA512

4262dd0e07f0d083c75607a0a67e20b8b8f85c57aeeba2359cc92731a82ba9d2191482cb3d28c7c8f1163b0d9604bf1cfba5ffe168ad7bb6fc7c1c11c99c0d7f
SSDEEP

24576:W+wHtwQBTvwpeNrT2i8k57TujjVx3KClNyOiY:W+sBTopej8Mw3NlNF

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

OWT.exe

pid process

560 OWT.exe
Loads dropped DLL 6 IoCs

Processes:

cmd.exeWerFault.exe

pid process

328 cmd.exe
1952 WerFault.exe
1952 WerFault.exe
1952 WerFault.exe
1952 WerFault.exe
1952 WerFault.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1952 560 WerFault.exe OWT.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1868 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1364 timeout.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

file.exepowershell.exeOWT.exepowershell.exe

pid process

1792 file.exe
1852 powershell.exe
560 OWT.exe
880 powershell.exe

pid	process
560	OWT.exe

pid	process
328	cmd.exe
1952	WerFault.exe
1952	WerFault.exe
1952	WerFault.exe
1952	WerFault.exe
1952	WerFault.exe

pid	pid_target	process	target process
1952	560	WerFault.exe	OWT.exe

pid	process
1868	schtasks.exe

pid	process
1364	timeout.exe

pid	process
1792	file.exe
1852	powershell.exe
560	OWT.exe
880	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

file.exepowershell.exeOWT.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1792	file.exe
Token: SeDebugPrivilege	1852	powershell.exe
Token: SeDebugPrivilege	560	OWT.exe
Token: SeDebugPrivilege	880	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

file.execmd.exeOWT.execmd.exe

description	pid	process	target process
PID 1792 wrote to memory of 1852	1792	file.exe	powershell.exe
PID 1792 wrote to memory of 1852	1792	file.exe	powershell.exe
PID 1792 wrote to memory of 1852	1792	file.exe	powershell.exe
PID 1792 wrote to memory of 328	1792	file.exe	cmd.exe
PID 1792 wrote to memory of 328	1792	file.exe	cmd.exe
PID 1792 wrote to memory of 328	1792	file.exe	cmd.exe
PID 328 wrote to memory of 1364	328	cmd.exe	timeout.exe
PID 328 wrote to memory of 1364	328	cmd.exe	timeout.exe
PID 328 wrote to memory of 1364	328	cmd.exe	timeout.exe
PID 328 wrote to memory of 560	328	cmd.exe	OWT.exe
PID 328 wrote to memory of 560	328	cmd.exe	OWT.exe
PID 328 wrote to memory of 560	328	cmd.exe	OWT.exe
PID 560 wrote to memory of 880	560	OWT.exe	powershell.exe
PID 560 wrote to memory of 880	560	OWT.exe	powershell.exe
PID 560 wrote to memory of 880	560	OWT.exe	powershell.exe
PID 560 wrote to memory of 976	560	OWT.exe	cmd.exe
PID 560 wrote to memory of 976	560	OWT.exe	cmd.exe
PID 560 wrote to memory of 976	560	OWT.exe	cmd.exe
PID 976 wrote to memory of 1868	976	cmd.exe	schtasks.exe
PID 976 wrote to memory of 1868	976	cmd.exe	schtasks.exe
PID 976 wrote to memory of 1868	976	cmd.exe	schtasks.exe
PID 560 wrote to memory of 1952	560	OWT.exe	WerFault.exe
PID 560 wrote to memory of 1952	560	OWT.exe	WerFault.exe
PID 560 wrote to memory of 1952	560	OWT.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1852
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpB32A.tmp.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:328
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1364
- - C:\ProgramData\winrar\OWT.exe
    "C:\ProgramData\winrar\OWT.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:560
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:880
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "OWT" /tr "C:\ProgramData\winrar\OWT.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:976
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "OWT" /tr "C:\ProgramData\winrar\OWT.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:1868
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 560 -s 688
      4⤵
      Loads dropped DLL
      Program crash
      PID:1952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\winrar\OWT.exe

Filesize
1.4MB

MD5
073a3dc0c60492b618f888c5e603fd05

SHA1
4de52c57f8f032724452e901120bcf0fbee52902

SHA256
f4fcbc524c30e4469464eb1c5641577b1042bd6fb5f44835731a3ee156d29c27

SHA512
4262dd0e07f0d083c75607a0a67e20b8b8f85c57aeeba2359cc92731a82ba9d2191482cb3d28c7c8f1163b0d9604bf1cfba5ffe168ad7bb6fc7c1c11c99c0d7f

Download Submit
C:\ProgramData\winrar\OWT.exe

Filesize
1.4MB

MD5
073a3dc0c60492b618f888c5e603fd05

SHA1
4de52c57f8f032724452e901120bcf0fbee52902

SHA256
f4fcbc524c30e4469464eb1c5641577b1042bd6fb5f44835731a3ee156d29c27

SHA512
4262dd0e07f0d083c75607a0a67e20b8b8f85c57aeeba2359cc92731a82ba9d2191482cb3d28c7c8f1163b0d9604bf1cfba5ffe168ad7bb6fc7c1c11c99c0d7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB32A.tmp.bat

Filesize
138B

MD5
186d39303be46cb7c7f0e4cc8ad64216

SHA1
097aa52d854c73ca2eed8b19c3590507384990f1

SHA256
9cc2086f0783a76150a79c35e4ee68eef4cc1c23a9573f193c3db157a0e7fb83

SHA512
fad770fd633d3aa8c251c142f842154a98a74aeed928df5ad9cfe7ee60f48eb74b94fc63d2bb96927dccdc18480d45f2915ac6460f1cc936312f723560a86277

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
fb0d238619b7a924fce5e4355802b772

SHA1
cab92c68c166833d8d7b70bb7505df6bcfa1a93f

SHA256
0f72d08778a29af8cda6876741dfe5b70fb1c02b9b9053b490dd9b733dcbd65d

SHA512
3eac35ecfd31b6a675a49d2d0a57e68b65eb53e9d613356a7767015d6d51a6bd0f4df7bfaedeea35587ef6c0b444fa03aba88551661fceae6b0d030459b79eee

Download Submit
\ProgramData\winrar\OWT.exe

Filesize
1.4MB

MD5
073a3dc0c60492b618f888c5e603fd05

SHA1
4de52c57f8f032724452e901120bcf0fbee52902

SHA256
f4fcbc524c30e4469464eb1c5641577b1042bd6fb5f44835731a3ee156d29c27

SHA512
4262dd0e07f0d083c75607a0a67e20b8b8f85c57aeeba2359cc92731a82ba9d2191482cb3d28c7c8f1163b0d9604bf1cfba5ffe168ad7bb6fc7c1c11c99c0d7f

Download Submit
\ProgramData\winrar\OWT.exe

Filesize
1.4MB

MD5
073a3dc0c60492b618f888c5e603fd05

SHA1
4de52c57f8f032724452e901120bcf0fbee52902

SHA256
f4fcbc524c30e4469464eb1c5641577b1042bd6fb5f44835731a3ee156d29c27

SHA512
4262dd0e07f0d083c75607a0a67e20b8b8f85c57aeeba2359cc92731a82ba9d2191482cb3d28c7c8f1163b0d9604bf1cfba5ffe168ad7bb6fc7c1c11c99c0d7f

Download Submit
\ProgramData\winrar\OWT.exe

Filesize
1.4MB

MD5
073a3dc0c60492b618f888c5e603fd05

SHA1
4de52c57f8f032724452e901120bcf0fbee52902

SHA256
f4fcbc524c30e4469464eb1c5641577b1042bd6fb5f44835731a3ee156d29c27

SHA512
4262dd0e07f0d083c75607a0a67e20b8b8f85c57aeeba2359cc92731a82ba9d2191482cb3d28c7c8f1163b0d9604bf1cfba5ffe168ad7bb6fc7c1c11c99c0d7f

Download Submit
\ProgramData\winrar\OWT.exe

Filesize
1.4MB

MD5
073a3dc0c60492b618f888c5e603fd05

SHA1
4de52c57f8f032724452e901120bcf0fbee52902

SHA256
f4fcbc524c30e4469464eb1c5641577b1042bd6fb5f44835731a3ee156d29c27

SHA512
4262dd0e07f0d083c75607a0a67e20b8b8f85c57aeeba2359cc92731a82ba9d2191482cb3d28c7c8f1163b0d9604bf1cfba5ffe168ad7bb6fc7c1c11c99c0d7f

Download Submit
\ProgramData\winrar\OWT.exe

Filesize
1.4MB

MD5
073a3dc0c60492b618f888c5e603fd05

SHA1
4de52c57f8f032724452e901120bcf0fbee52902

SHA256
f4fcbc524c30e4469464eb1c5641577b1042bd6fb5f44835731a3ee156d29c27

SHA512
4262dd0e07f0d083c75607a0a67e20b8b8f85c57aeeba2359cc92731a82ba9d2191482cb3d28c7c8f1163b0d9604bf1cfba5ffe168ad7bb6fc7c1c11c99c0d7f

Download Submit
\ProgramData\winrar\OWT.exe

Filesize
1.4MB

MD5
073a3dc0c60492b618f888c5e603fd05

SHA1
4de52c57f8f032724452e901120bcf0fbee52902

SHA256
f4fcbc524c30e4469464eb1c5641577b1042bd6fb5f44835731a3ee156d29c27

SHA512
4262dd0e07f0d083c75607a0a67e20b8b8f85c57aeeba2359cc92731a82ba9d2191482cb3d28c7c8f1163b0d9604bf1cfba5ffe168ad7bb6fc7c1c11c99c0d7f

Download Submit
memory/328-75-0x0000000000000000-mapping.dmp

Download
memory/560-103-0x000007FEFDD50000-0x000007FEFDF53000-memory.dmp

Filesize
2.0MB

Download
memory/560-122-0x0000000001110000-0x00000000012DC000-memory.dmp

Filesize
1.8MB

Download
memory/560-104-0x0000000001110000-0x00000000012DC000-memory.dmp

Filesize
1.8MB

Download
memory/560-105-0x0000000000510000-0x0000000000551000-memory.dmp

Filesize
260KB

Download
memory/560-106-0x0000000001110000-0x00000000012DC000-memory.dmp

Filesize
1.8MB

Download
memory/560-120-0x000007FEFB550000-0x000007FEFB765000-memory.dmp

Filesize
2.1MB

Download
memory/560-102-0x000007FEFD660000-0x000007FEFD78D000-memory.dmp

Filesize
1.2MB

Download
memory/560-101-0x000007FEF4EC0000-0x000007FEF58AC000-memory.dmp

Filesize
9.9MB

Download
memory/560-98-0x000007FEFF1D0000-0x000007FEFF241000-memory.dmp

Filesize
452KB

Download
memory/560-121-0x000007FEFF250000-0x000007FEFF327000-memory.dmp

Filesize
860KB

Download
memory/560-100-0x000007FEFF0F0000-0x000007FEFF1CB000-memory.dmp

Filesize
876KB

Download
memory/560-107-0x000007FEF63A0000-0x000007FEF64CC000-memory.dmp

Filesize
1.2MB

Download
memory/560-99-0x000007FEF64D0000-0x000007FEF65C7000-memory.dmp

Filesize
988KB

Download
memory/560-96-0x0000000077110000-0x000000007722F000-memory.dmp

Filesize
1.1MB

Download
memory/560-97-0x000007FEFD200000-0x000007FEFD26C000-memory.dmp

Filesize
432KB

Download
memory/560-95-0x000007FEFE1B0000-0x000007FEFE24F000-memory.dmp

Filesize
636KB

Download
memory/560-94-0x0000000077010000-0x000000007710A000-memory.dmp

Filesize
1000KB

Download
memory/560-93-0x000007FEFE120000-0x000007FEFE187000-memory.dmp

Filesize
412KB

Download
memory/560-91-0x000007FEF6670000-0x000007FEF66DF000-memory.dmp

Filesize
444KB

Download
memory/560-92-0x000007FEF65D0000-0x000007FEF666C000-memory.dmp

Filesize
624KB

Download
memory/560-123-0x0000000000510000-0x0000000000551000-memory.dmp

Filesize
260KB

Download
memory/560-126-0x000007FEFE090000-0x000007FEFE0AF000-memory.dmp

Filesize
124KB

Download
memory/560-87-0x0000000000000000-mapping.dmp

Download
memory/880-111-0x000007FEEC730000-0x000007FEED153000-memory.dmp

Filesize
10.1MB

Download
memory/880-108-0x0000000000000000-mapping.dmp

Download
memory/880-116-0x0000000002A8B000-0x0000000002AAA000-memory.dmp

Filesize
124KB

Download
memory/880-115-0x0000000002A8B000-0x0000000002AAA000-memory.dmp

Filesize
124KB

Download
memory/880-114-0x0000000002A84000-0x0000000002A87000-memory.dmp

Filesize
12KB

Download
memory/880-113-0x000000001B8C0000-0x000000001BBBF000-memory.dmp

Filesize
3.0MB

Download
memory/880-112-0x000007FEEBBD0000-0x000007FEEC72D000-memory.dmp

Filesize
11.4MB

Download
memory/976-118-0x0000000000000000-mapping.dmp

Download
memory/1364-79-0x0000000000000000-mapping.dmp

Download
memory/1792-65-0x000007FEF6790000-0x000007FEF6887000-memory.dmp

Filesize
988KB

Download
memory/1792-62-0x0000000077110000-0x000000007722F000-memory.dmp

Filesize
1.1MB

Download
memory/1792-57-0x0000000000C70000-0x0000000000CB1000-memory.dmp

Filesize
260KB

Download
memory/1792-72-0x000007FEF65B0000-0x000007FEF66DC000-memory.dmp

Filesize
1.2MB

Download
memory/1792-71-0x0000000000C70000-0x0000000000CB1000-memory.dmp

Filesize
260KB

Download
memory/1792-70-0x00000000011A0000-0x000000000136C000-memory.dmp

Filesize
1.8MB

Download
memory/1792-69-0x000007FEFDD50000-0x000007FEFDF53000-memory.dmp

Filesize
2.0MB

Download
memory/1792-68-0x000007FEFD660000-0x000007FEFD78D000-memory.dmp

Filesize
1.2MB

Download
memory/1792-67-0x000007FEF58B0000-0x000007FEF629C000-memory.dmp

Filesize
9.9MB

Download
memory/1792-76-0x000007FEFE090000-0x000007FEFE0AF000-memory.dmp

Filesize
124KB

Download
memory/1792-66-0x000007FEFF0F0000-0x000007FEFF1CB000-memory.dmp

Filesize
876KB

Download
memory/1792-56-0x00000000011A0000-0x000000000136C000-memory.dmp

Filesize
1.8MB

Download
memory/1792-80-0x00000000011A0000-0x000000000136C000-memory.dmp

Filesize
1.8MB

Download
memory/1792-55-0x000007FEFA550000-0x000007FEFA5BF000-memory.dmp

Filesize
444KB

Download
memory/1792-58-0x000007FEF6890000-0x000007FEF692C000-memory.dmp

Filesize
624KB

Download
memory/1792-59-0x000007FEFE120000-0x000007FEFE187000-memory.dmp

Filesize
412KB

Download
memory/1792-60-0x0000000077010000-0x000000007710A000-memory.dmp

Filesize
1000KB

Download
memory/1792-61-0x000007FEFE1B0000-0x000007FEFE24F000-memory.dmp

Filesize
636KB

Download
memory/1792-63-0x000007FEFD200000-0x000007FEFD26C000-memory.dmp

Filesize
432KB

Download
memory/1792-64-0x000007FEFF1D0000-0x000007FEFF241000-memory.dmp

Filesize
452KB

Download
memory/1852-85-0x000000000243B000-0x000000000245A000-memory.dmp

Filesize
124KB

Download
memory/1852-74-0x000007FEFBAB1000-0x000007FEFBAB3000-memory.dmp

Filesize
8KB

Download
memory/1852-84-0x0000000002434000-0x0000000002437000-memory.dmp

Filesize
12KB

Download
memory/1852-82-0x000000001B730000-0x000000001BA2F000-memory.dmp

Filesize
3.0MB

Download
memory/1852-83-0x0000000002434000-0x0000000002437000-memory.dmp

Filesize
12KB

Download
memory/1852-81-0x000007FEF5740000-0x000007FEF629D000-memory.dmp

Filesize
11.4MB

Download
memory/1852-77-0x000007FEED0D0000-0x000007FEEDAF3000-memory.dmp

Filesize
10.1MB

Download
memory/1852-73-0x0000000000000000-mapping.dmp

Download
memory/1868-119-0x0000000000000000-mapping.dmp

Download
memory/1952-125-0x0000000000000000-mapping.dmp

Download