Resubmissions
26/11/2022, 08:19
221126-j7yhtaed66 1025/11/2022, 12:27
221125-pmxnnsbe8t 824/11/2022, 09:51
221124-lvp21seh53 1024/11/2022, 09:44
221124-lqgvvahf3x 10Analysis
-
max time kernel
57s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
24/11/2022, 09:44
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20221111-en
General
-
Target
file.exe
-
Size
1.4MB
-
MD5
073a3dc0c60492b618f888c5e603fd05
-
SHA1
4de52c57f8f032724452e901120bcf0fbee52902
-
SHA256
f4fcbc524c30e4469464eb1c5641577b1042bd6fb5f44835731a3ee156d29c27
-
SHA512
4262dd0e07f0d083c75607a0a67e20b8b8f85c57aeeba2359cc92731a82ba9d2191482cb3d28c7c8f1163b0d9604bf1cfba5ffe168ad7bb6fc7c1c11c99c0d7f
-
SSDEEP
24576:W+wHtwQBTvwpeNrT2i8k57TujjVx3KClNyOiY:W+sBTopej8Mw3NlNF
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 560 OWT.exe -
Loads dropped DLL 6 IoCs
pid Process 328 cmd.exe 1952 WerFault.exe 1952 WerFault.exe 1952 WerFault.exe 1952 WerFault.exe 1952 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1952 560 WerFault.exe 33 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1868 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1364 timeout.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1792 file.exe 1852 powershell.exe 560 OWT.exe 880 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1792 file.exe Token: SeDebugPrivilege 1852 powershell.exe Token: SeDebugPrivilege 560 OWT.exe Token: SeDebugPrivilege 880 powershell.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1792 wrote to memory of 1852 1792 file.exe 28 PID 1792 wrote to memory of 1852 1792 file.exe 28 PID 1792 wrote to memory of 1852 1792 file.exe 28 PID 1792 wrote to memory of 328 1792 file.exe 30 PID 1792 wrote to memory of 328 1792 file.exe 30 PID 1792 wrote to memory of 328 1792 file.exe 30 PID 328 wrote to memory of 1364 328 cmd.exe 32 PID 328 wrote to memory of 1364 328 cmd.exe 32 PID 328 wrote to memory of 1364 328 cmd.exe 32 PID 328 wrote to memory of 560 328 cmd.exe 33 PID 328 wrote to memory of 560 328 cmd.exe 33 PID 328 wrote to memory of 560 328 cmd.exe 33 PID 560 wrote to memory of 880 560 OWT.exe 34 PID 560 wrote to memory of 880 560 OWT.exe 34 PID 560 wrote to memory of 880 560 OWT.exe 34 PID 560 wrote to memory of 976 560 OWT.exe 36 PID 560 wrote to memory of 976 560 OWT.exe 36 PID 560 wrote to memory of 976 560 OWT.exe 36 PID 976 wrote to memory of 1868 976 cmd.exe 38 PID 976 wrote to memory of 1868 976 cmd.exe 38 PID 976 wrote to memory of 1868 976 cmd.exe 38 PID 560 wrote to memory of 1952 560 OWT.exe 39 PID 560 wrote to memory of 1952 560 OWT.exe 39 PID 560 wrote to memory of 1952 560 OWT.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1852
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpB32A.tmp.bat""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:328 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:1364
-
-
C:\ProgramData\winrar\OWT.exe"C:\ProgramData\winrar\OWT.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:880
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "OWT" /tr "C:\ProgramData\winrar\OWT.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "OWT" /tr "C:\ProgramData\winrar\OWT.exe"5⤵
- Creates scheduled task(s)
PID:1868
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 560 -s 6884⤵
- Loads dropped DLL
- Program crash
PID:1952
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5073a3dc0c60492b618f888c5e603fd05
SHA14de52c57f8f032724452e901120bcf0fbee52902
SHA256f4fcbc524c30e4469464eb1c5641577b1042bd6fb5f44835731a3ee156d29c27
SHA5124262dd0e07f0d083c75607a0a67e20b8b8f85c57aeeba2359cc92731a82ba9d2191482cb3d28c7c8f1163b0d9604bf1cfba5ffe168ad7bb6fc7c1c11c99c0d7f
-
Filesize
1.4MB
MD5073a3dc0c60492b618f888c5e603fd05
SHA14de52c57f8f032724452e901120bcf0fbee52902
SHA256f4fcbc524c30e4469464eb1c5641577b1042bd6fb5f44835731a3ee156d29c27
SHA5124262dd0e07f0d083c75607a0a67e20b8b8f85c57aeeba2359cc92731a82ba9d2191482cb3d28c7c8f1163b0d9604bf1cfba5ffe168ad7bb6fc7c1c11c99c0d7f
-
Filesize
138B
MD5186d39303be46cb7c7f0e4cc8ad64216
SHA1097aa52d854c73ca2eed8b19c3590507384990f1
SHA2569cc2086f0783a76150a79c35e4ee68eef4cc1c23a9573f193c3db157a0e7fb83
SHA512fad770fd633d3aa8c251c142f842154a98a74aeed928df5ad9cfe7ee60f48eb74b94fc63d2bb96927dccdc18480d45f2915ac6460f1cc936312f723560a86277
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5fb0d238619b7a924fce5e4355802b772
SHA1cab92c68c166833d8d7b70bb7505df6bcfa1a93f
SHA2560f72d08778a29af8cda6876741dfe5b70fb1c02b9b9053b490dd9b733dcbd65d
SHA5123eac35ecfd31b6a675a49d2d0a57e68b65eb53e9d613356a7767015d6d51a6bd0f4df7bfaedeea35587ef6c0b444fa03aba88551661fceae6b0d030459b79eee
-
Filesize
1.4MB
MD5073a3dc0c60492b618f888c5e603fd05
SHA14de52c57f8f032724452e901120bcf0fbee52902
SHA256f4fcbc524c30e4469464eb1c5641577b1042bd6fb5f44835731a3ee156d29c27
SHA5124262dd0e07f0d083c75607a0a67e20b8b8f85c57aeeba2359cc92731a82ba9d2191482cb3d28c7c8f1163b0d9604bf1cfba5ffe168ad7bb6fc7c1c11c99c0d7f
-
Filesize
1.4MB
MD5073a3dc0c60492b618f888c5e603fd05
SHA14de52c57f8f032724452e901120bcf0fbee52902
SHA256f4fcbc524c30e4469464eb1c5641577b1042bd6fb5f44835731a3ee156d29c27
SHA5124262dd0e07f0d083c75607a0a67e20b8b8f85c57aeeba2359cc92731a82ba9d2191482cb3d28c7c8f1163b0d9604bf1cfba5ffe168ad7bb6fc7c1c11c99c0d7f
-
Filesize
1.4MB
MD5073a3dc0c60492b618f888c5e603fd05
SHA14de52c57f8f032724452e901120bcf0fbee52902
SHA256f4fcbc524c30e4469464eb1c5641577b1042bd6fb5f44835731a3ee156d29c27
SHA5124262dd0e07f0d083c75607a0a67e20b8b8f85c57aeeba2359cc92731a82ba9d2191482cb3d28c7c8f1163b0d9604bf1cfba5ffe168ad7bb6fc7c1c11c99c0d7f
-
Filesize
1.4MB
MD5073a3dc0c60492b618f888c5e603fd05
SHA14de52c57f8f032724452e901120bcf0fbee52902
SHA256f4fcbc524c30e4469464eb1c5641577b1042bd6fb5f44835731a3ee156d29c27
SHA5124262dd0e07f0d083c75607a0a67e20b8b8f85c57aeeba2359cc92731a82ba9d2191482cb3d28c7c8f1163b0d9604bf1cfba5ffe168ad7bb6fc7c1c11c99c0d7f
-
Filesize
1.4MB
MD5073a3dc0c60492b618f888c5e603fd05
SHA14de52c57f8f032724452e901120bcf0fbee52902
SHA256f4fcbc524c30e4469464eb1c5641577b1042bd6fb5f44835731a3ee156d29c27
SHA5124262dd0e07f0d083c75607a0a67e20b8b8f85c57aeeba2359cc92731a82ba9d2191482cb3d28c7c8f1163b0d9604bf1cfba5ffe168ad7bb6fc7c1c11c99c0d7f
-
Filesize
1.4MB
MD5073a3dc0c60492b618f888c5e603fd05
SHA14de52c57f8f032724452e901120bcf0fbee52902
SHA256f4fcbc524c30e4469464eb1c5641577b1042bd6fb5f44835731a3ee156d29c27
SHA5124262dd0e07f0d083c75607a0a67e20b8b8f85c57aeeba2359cc92731a82ba9d2191482cb3d28c7c8f1163b0d9604bf1cfba5ffe168ad7bb6fc7c1c11c99c0d7f