14198d89ceab423eac364fc5bf110eaa5fa9d283a872ef622909065d267a8a9e

Analysis

max time kernel
24s
max time network
49s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 13:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14198d89ceab423eac364fc5bf110eaa5fa9d283a872ef622909065d267a8a9e.exe
Size

102KB
MD5

58bc14cd9a5b15b3d7926f857484042f
SHA1

77e0eaf796306feb74a474703526f6ab1ab7ed4d
SHA256

14198d89ceab423eac364fc5bf110eaa5fa9d283a872ef622909065d267a8a9e
SHA512

7ba79d436c56ecc0e19583feb304e46ad79218126cd5881676ebb79c2dbf283ce0ab7a93eb272eff6db2e69f524697f334a7f637afed6b2b93126ae2a870817b
SSDEEP

1536:9QxqcQu0XPmEmEcYUpEjCTfaAIW1EvqTlrxtPpFAXF9N/6Sy:y/03mEcppEjCTfaAIWSqTlrbPLEz4

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

6ty2EEE.exe6ty2EEE.exe

pid process

1492 6ty2EEE.exe
1756 6ty2EEE.exe

pid	process
1492	6ty2EEE.exe
1756	6ty2EEE.exe

Loads dropped DLL 8 IoCs

Processes:

14198d89ceab423eac364fc5bf110eaa5fa9d283a872ef622909065d267a8a9e.exe6ty2EEE.exeWerFault.exe

pid	process
748	14198d89ceab423eac364fc5bf110eaa5fa9d283a872ef622909065d267a8a9e.exe
748	14198d89ceab423eac364fc5bf110eaa5fa9d283a872ef622909065d267a8a9e.exe
1492	6ty2EEE.exe
1468	WerFault.exe
1468	WerFault.exe
1468	WerFault.exe
1468	WerFault.exe
1468	WerFault.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

6ty2EEE.exe

description pid process target process

PID 1492 set thread context of 1756 1492 6ty2EEE.exe 6ty2EEE.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1468 1756 WerFault.exe 6ty2EEE.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

1784 DllHost.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

6ty2EEE.exe

pid process

1492 6ty2EEE.exe

description	pid	process	target process
PID 1492 set thread context of 1756	1492	6ty2EEE.exe	6ty2EEE.exe

pid	pid_target	process	target process
1468	1756	WerFault.exe	6ty2EEE.exe

pid	process
1784	DllHost.exe

pid	process
1492	6ty2EEE.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

14198d89ceab423eac364fc5bf110eaa5fa9d283a872ef622909065d267a8a9e.exe6ty2EEE.exe6ty2EEE.exe

description	pid	process	target process
PID 748 wrote to memory of 1492	748	14198d89ceab423eac364fc5bf110eaa5fa9d283a872ef622909065d267a8a9e.exe	6ty2EEE.exe
PID 748 wrote to memory of 1492	748	14198d89ceab423eac364fc5bf110eaa5fa9d283a872ef622909065d267a8a9e.exe	6ty2EEE.exe
PID 748 wrote to memory of 1492	748	14198d89ceab423eac364fc5bf110eaa5fa9d283a872ef622909065d267a8a9e.exe	6ty2EEE.exe
PID 748 wrote to memory of 1492	748	14198d89ceab423eac364fc5bf110eaa5fa9d283a872ef622909065d267a8a9e.exe	6ty2EEE.exe
PID 1492 wrote to memory of 1756	1492	6ty2EEE.exe	6ty2EEE.exe
PID 1492 wrote to memory of 1756	1492	6ty2EEE.exe	6ty2EEE.exe
PID 1492 wrote to memory of 1756	1492	6ty2EEE.exe	6ty2EEE.exe
PID 1492 wrote to memory of 1756	1492	6ty2EEE.exe	6ty2EEE.exe
PID 1492 wrote to memory of 1756	1492	6ty2EEE.exe	6ty2EEE.exe
PID 1492 wrote to memory of 1756	1492	6ty2EEE.exe	6ty2EEE.exe
PID 1492 wrote to memory of 1756	1492	6ty2EEE.exe	6ty2EEE.exe
PID 1492 wrote to memory of 1756	1492	6ty2EEE.exe	6ty2EEE.exe
PID 1492 wrote to memory of 1756	1492	6ty2EEE.exe	6ty2EEE.exe
PID 1492 wrote to memory of 1756	1492	6ty2EEE.exe	6ty2EEE.exe
PID 1756 wrote to memory of 1468	1756	6ty2EEE.exe	WerFault.exe
PID 1756 wrote to memory of 1468	1756	6ty2EEE.exe	WerFault.exe
PID 1756 wrote to memory of 1468	1756	6ty2EEE.exe	WerFault.exe
PID 1756 wrote to memory of 1468	1756	6ty2EEE.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\14198d89ceab423eac364fc5bf110eaa5fa9d283a872ef622909065d267a8a9e.exe
"C:\Users\Admin\AppData\Local\Temp\14198d89ceab423eac364fc5bf110eaa5fa9d283a872ef622909065d267a8a9e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:748

C:\Users\Admin\AppData\Local\Temp\6ty2EEE.exe
"C:\Users\Admin\AppData\Local\Temp\6ty2EEE.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1492

C:\Users\Admin\AppData\Local\Temp\6ty2EEE.exe
"C:\Users\Admin\AppData\Local\Temp\6ty2EEE.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 96
4⤵
- Loads dropped DLL
- Program crash
PID:1468

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1784

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6ty2EEE.exe
Filesize
74KB

MD5
5b1a85d948bd7a075ebd0df2296ae9d5

SHA1
2b7cab4c68ca6c0fa28b360f9eb4673e7b075a24

SHA256
8cfb09392dd6cf7042c9aa9c98fbc9ef5969441d9cbf9d142fd5cbb9d70cd121

SHA512
46f05ba3117297faab0a7279d0791fd2e1daebcf9dbcbffaa17c2ee34ac3a68b4b8a40d4d73431a9da7e4a4c293aaf7a9f4bde2d4c93aa4f883c57fb6b2c0575

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ty2EEE.exe
Filesize
74KB

MD5
5b1a85d948bd7a075ebd0df2296ae9d5

SHA1
2b7cab4c68ca6c0fa28b360f9eb4673e7b075a24

SHA256
8cfb09392dd6cf7042c9aa9c98fbc9ef5969441d9cbf9d142fd5cbb9d70cd121

SHA512
46f05ba3117297faab0a7279d0791fd2e1daebcf9dbcbffaa17c2ee34ac3a68b4b8a40d4d73431a9da7e4a4c293aaf7a9f4bde2d4c93aa4f883c57fb6b2c0575

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ty2EEE.exe
Filesize
74KB

MD5
5b1a85d948bd7a075ebd0df2296ae9d5

SHA1
2b7cab4c68ca6c0fa28b360f9eb4673e7b075a24

SHA256
8cfb09392dd6cf7042c9aa9c98fbc9ef5969441d9cbf9d142fd5cbb9d70cd121

SHA512
46f05ba3117297faab0a7279d0791fd2e1daebcf9dbcbffaa17c2ee34ac3a68b4b8a40d4d73431a9da7e4a4c293aaf7a9f4bde2d4c93aa4f883c57fb6b2c0575

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ty3056.jpg
Filesize
3KB

MD5
d101d07ba61bc6990aac73a0cdd67f4f

SHA1
aff942e16e1e952f57cd7e51dc3219f7f7812390

SHA256
5b01fe09d445ec0e38b1db3443dd7013bfc2b871fae69a5c0e978fc58b560c05

SHA512
9cb17efd8bb5c870ebf7c70870a803a8d7f775596d86165ea2dff0d42f1fa775eef407cd333ee91f866c64074fb82f3e19a1c93a56114a8fc2967e72e88f285b

Download Submit
\Users\Admin\AppData\Local\Temp\6ty2EEE.exe
Filesize
74KB

MD5
5b1a85d948bd7a075ebd0df2296ae9d5

SHA1
2b7cab4c68ca6c0fa28b360f9eb4673e7b075a24

SHA256
8cfb09392dd6cf7042c9aa9c98fbc9ef5969441d9cbf9d142fd5cbb9d70cd121

SHA512
46f05ba3117297faab0a7279d0791fd2e1daebcf9dbcbffaa17c2ee34ac3a68b4b8a40d4d73431a9da7e4a4c293aaf7a9f4bde2d4c93aa4f883c57fb6b2c0575

Download Submit
\Users\Admin\AppData\Local\Temp\6ty2EEE.exe
Filesize
74KB

MD5
5b1a85d948bd7a075ebd0df2296ae9d5

SHA1
2b7cab4c68ca6c0fa28b360f9eb4673e7b075a24

SHA256
8cfb09392dd6cf7042c9aa9c98fbc9ef5969441d9cbf9d142fd5cbb9d70cd121

SHA512
46f05ba3117297faab0a7279d0791fd2e1daebcf9dbcbffaa17c2ee34ac3a68b4b8a40d4d73431a9da7e4a4c293aaf7a9f4bde2d4c93aa4f883c57fb6b2c0575

Download Submit
\Users\Admin\AppData\Local\Temp\6ty2EEE.exe
Filesize
74KB

MD5
5b1a85d948bd7a075ebd0df2296ae9d5

SHA1
2b7cab4c68ca6c0fa28b360f9eb4673e7b075a24

SHA256
8cfb09392dd6cf7042c9aa9c98fbc9ef5969441d9cbf9d142fd5cbb9d70cd121

SHA512
46f05ba3117297faab0a7279d0791fd2e1daebcf9dbcbffaa17c2ee34ac3a68b4b8a40d4d73431a9da7e4a4c293aaf7a9f4bde2d4c93aa4f883c57fb6b2c0575

Download Submit
\Users\Admin\AppData\Local\Temp\6ty2EEE.exe
Filesize
74KB

MD5
5b1a85d948bd7a075ebd0df2296ae9d5

SHA1
2b7cab4c68ca6c0fa28b360f9eb4673e7b075a24

SHA256
8cfb09392dd6cf7042c9aa9c98fbc9ef5969441d9cbf9d142fd5cbb9d70cd121

SHA512
46f05ba3117297faab0a7279d0791fd2e1daebcf9dbcbffaa17c2ee34ac3a68b4b8a40d4d73431a9da7e4a4c293aaf7a9f4bde2d4c93aa4f883c57fb6b2c0575

Download Submit
\Users\Admin\AppData\Local\Temp\6ty2EEE.exe
Filesize
74KB

MD5
5b1a85d948bd7a075ebd0df2296ae9d5

SHA1
2b7cab4c68ca6c0fa28b360f9eb4673e7b075a24

SHA256
8cfb09392dd6cf7042c9aa9c98fbc9ef5969441d9cbf9d142fd5cbb9d70cd121

SHA512
46f05ba3117297faab0a7279d0791fd2e1daebcf9dbcbffaa17c2ee34ac3a68b4b8a40d4d73431a9da7e4a4c293aaf7a9f4bde2d4c93aa4f883c57fb6b2c0575

Download Submit
\Users\Admin\AppData\Local\Temp\6ty2EEE.exe
Filesize
74KB

MD5
5b1a85d948bd7a075ebd0df2296ae9d5

SHA1
2b7cab4c68ca6c0fa28b360f9eb4673e7b075a24

SHA256
8cfb09392dd6cf7042c9aa9c98fbc9ef5969441d9cbf9d142fd5cbb9d70cd121

SHA512
46f05ba3117297faab0a7279d0791fd2e1daebcf9dbcbffaa17c2ee34ac3a68b4b8a40d4d73431a9da7e4a4c293aaf7a9f4bde2d4c93aa4f883c57fb6b2c0575

Download Submit
\Users\Admin\AppData\Local\Temp\6ty2EEE.exe
Filesize
74KB

MD5
5b1a85d948bd7a075ebd0df2296ae9d5

SHA1
2b7cab4c68ca6c0fa28b360f9eb4673e7b075a24

SHA256
8cfb09392dd6cf7042c9aa9c98fbc9ef5969441d9cbf9d142fd5cbb9d70cd121

SHA512
46f05ba3117297faab0a7279d0791fd2e1daebcf9dbcbffaa17c2ee34ac3a68b4b8a40d4d73431a9da7e4a4c293aaf7a9f4bde2d4c93aa4f883c57fb6b2c0575

Download Submit
\Users\Admin\AppData\Local\Temp\6ty2EEE.exe
Filesize
74KB

MD5
5b1a85d948bd7a075ebd0df2296ae9d5

SHA1
2b7cab4c68ca6c0fa28b360f9eb4673e7b075a24

SHA256
8cfb09392dd6cf7042c9aa9c98fbc9ef5969441d9cbf9d142fd5cbb9d70cd121

SHA512
46f05ba3117297faab0a7279d0791fd2e1daebcf9dbcbffaa17c2ee34ac3a68b4b8a40d4d73431a9da7e4a4c293aaf7a9f4bde2d4c93aa4f883c57fb6b2c0575

Download Submit
memory/748-54-0x0000000075B11000-0x0000000075B13000-memory.dmp

Filesize
8KB

Download
memory/1468-81-0x0000000000000000-mapping.dmp

Download
memory/1492-57-0x0000000000000000-mapping.dmp

Download
memory/1756-76-0x00000000004102A0-mapping.dmp

Download
memory/1756-78-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1756-79-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1756-80-0x0000000000410000-0x0000000000412000-memory.dmp

Filesize
8KB

Download
memory/1756-74-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1756-72-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1756-67-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1756-69-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1756-65-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1756-64-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1756-87-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download