f34fab44d1f6f3db482c87cf464a86ed6813805953403425658446990a8a2daf

Analysis

max time kernel
62s
max time network
30s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 19:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

1.3MB
MD5

442068a8271d880244a03d4d290c75fa
SHA1

bc20dc9ca257c6a0573d521e702cbf0369fdd4b3
SHA256

f34fab44d1f6f3db482c87cf464a86ed6813805953403425658446990a8a2daf
SHA512

a2a17a6b653087200be8b3ca5cfc80fe4db087c4fc57214090326948622e48fe0afeaea7c63a955099501ed6dec3b87328822e398cced151a7d8fc78e5a25f34
SSDEEP

24576:YmK6Q9qEYTewpekHZySOVhP8BCaff7XFf7aiJRw+UjxF:YmK6OqEYT1pek0VFof7ValxxF

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

OWT.exe

pid process

384 OWT.exe
Loads dropped DLL 6 IoCs

Processes:

cmd.exeWerFault.exe

pid process

1700 cmd.exe
552 WerFault.exe
552 WerFault.exe
552 WerFault.exe
552 WerFault.exe
552 WerFault.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

552 384 WerFault.exe OWT.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

544 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1788 timeout.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

file.exepowershell.exeOWT.exepowershell.exe

pid process

1276 file.exe
520 powershell.exe
384 OWT.exe
968 powershell.exe

pid	process
384	OWT.exe

pid	process
1700	cmd.exe
552	WerFault.exe
552	WerFault.exe
552	WerFault.exe
552	WerFault.exe
552	WerFault.exe

pid	pid_target	process	target process
552	384	WerFault.exe	OWT.exe

pid	process
544	schtasks.exe

pid	process
1788	timeout.exe

pid	process
1276	file.exe
520	powershell.exe
384	OWT.exe
968	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

file.exepowershell.exeOWT.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1276	file.exe
Token: SeDebugPrivilege	520	powershell.exe
Token: SeDebugPrivilege	384	OWT.exe
Token: SeDebugPrivilege	968	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

file.execmd.exeOWT.execmd.exe

description	pid	process	target process
PID 1276 wrote to memory of 520	1276	file.exe	powershell.exe
PID 1276 wrote to memory of 520	1276	file.exe	powershell.exe
PID 1276 wrote to memory of 520	1276	file.exe	powershell.exe
PID 1276 wrote to memory of 1700	1276	file.exe	cmd.exe
PID 1276 wrote to memory of 1700	1276	file.exe	cmd.exe
PID 1276 wrote to memory of 1700	1276	file.exe	cmd.exe
PID 1700 wrote to memory of 1788	1700	cmd.exe	timeout.exe
PID 1700 wrote to memory of 1788	1700	cmd.exe	timeout.exe
PID 1700 wrote to memory of 1788	1700	cmd.exe	timeout.exe
PID 1700 wrote to memory of 384	1700	cmd.exe	OWT.exe
PID 1700 wrote to memory of 384	1700	cmd.exe	OWT.exe
PID 1700 wrote to memory of 384	1700	cmd.exe	OWT.exe
PID 384 wrote to memory of 968	384	OWT.exe	powershell.exe
PID 384 wrote to memory of 968	384	OWT.exe	powershell.exe
PID 384 wrote to memory of 968	384	OWT.exe	powershell.exe
PID 384 wrote to memory of 1624	384	OWT.exe	cmd.exe
PID 384 wrote to memory of 1624	384	OWT.exe	cmd.exe
PID 384 wrote to memory of 1624	384	OWT.exe	cmd.exe
PID 1624 wrote to memory of 544	1624	cmd.exe	schtasks.exe
PID 1624 wrote to memory of 544	1624	cmd.exe	schtasks.exe
PID 1624 wrote to memory of 544	1624	cmd.exe	schtasks.exe
PID 384 wrote to memory of 552	384	OWT.exe	WerFault.exe
PID 384 wrote to memory of 552	384	OWT.exe	WerFault.exe
PID 384 wrote to memory of 552	384	OWT.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1276

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:520

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp981C.tmp.bat""
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:1788

C:\ProgramData\winrar\OWT.exe
"C:\ProgramData\winrar\OWT.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:384

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:968

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "OWT" /tr "C:\ProgramData\winrar\OWT.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "OWT" /tr "C:\ProgramData\winrar\OWT.exe"
5⤵
- Creates scheduled task(s)
PID:544

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 384 -s 792
4⤵
- Loads dropped DLL
- Program crash
PID:552

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\winrar\OWT.exe
Filesize
1.3MB

MD5
442068a8271d880244a03d4d290c75fa

SHA1
bc20dc9ca257c6a0573d521e702cbf0369fdd4b3

SHA256
f34fab44d1f6f3db482c87cf464a86ed6813805953403425658446990a8a2daf

SHA512
a2a17a6b653087200be8b3ca5cfc80fe4db087c4fc57214090326948622e48fe0afeaea7c63a955099501ed6dec3b87328822e398cced151a7d8fc78e5a25f34

Download Submit
C:\ProgramData\winrar\OWT.exe
Filesize
1.3MB

MD5
442068a8271d880244a03d4d290c75fa

SHA1
bc20dc9ca257c6a0573d521e702cbf0369fdd4b3

SHA256
f34fab44d1f6f3db482c87cf464a86ed6813805953403425658446990a8a2daf

SHA512
a2a17a6b653087200be8b3ca5cfc80fe4db087c4fc57214090326948622e48fe0afeaea7c63a955099501ed6dec3b87328822e398cced151a7d8fc78e5a25f34

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp981C.tmp.bat
Filesize
138B

MD5
892b64c990a9eed454fa380d78305f94

SHA1
acd8612ee99265db77aeed400c43a4bd44b5e293

SHA256
df33ce9b990dbf1eafd11f4e24009d0454a325d8f30cdee7bfb501a2446531b6

SHA512
1bcb54a87b546b751ee54c5762ed25f7a16dd69ce8a548d77766738602b9e2b0716c8ae58837524d277799f6b1be7840e3ed1305ad9bf55e8d8e99afc2720b34

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
1ff704f50dc0fa36d10a34c6a33ab7ca

SHA1
b2a307d7ade653e72fc8dc66a72ff15a75ba6b18

SHA256
325e844b92ccc11de1ca3804f1a7284941dd8162f2e0b721824a0f883956fd85

SHA512
99ebb7a3e1b778b4eed9966dddfcdedf33208bdd23343e50976819e41e690e4c4a0866ae04127dc395583dc854a2fdcaf4ead011895ba5a16d5ca34d85e781c6

Download Submit
\ProgramData\winrar\OWT.exe
Filesize
1.3MB

MD5
442068a8271d880244a03d4d290c75fa

SHA1
bc20dc9ca257c6a0573d521e702cbf0369fdd4b3

SHA256
f34fab44d1f6f3db482c87cf464a86ed6813805953403425658446990a8a2daf

SHA512
a2a17a6b653087200be8b3ca5cfc80fe4db087c4fc57214090326948622e48fe0afeaea7c63a955099501ed6dec3b87328822e398cced151a7d8fc78e5a25f34

Download Submit
\ProgramData\winrar\OWT.exe
Filesize
1.3MB

MD5
442068a8271d880244a03d4d290c75fa

SHA1
bc20dc9ca257c6a0573d521e702cbf0369fdd4b3

SHA256
f34fab44d1f6f3db482c87cf464a86ed6813805953403425658446990a8a2daf

SHA512
a2a17a6b653087200be8b3ca5cfc80fe4db087c4fc57214090326948622e48fe0afeaea7c63a955099501ed6dec3b87328822e398cced151a7d8fc78e5a25f34

Download Submit
\ProgramData\winrar\OWT.exe
Filesize
1.3MB

MD5
442068a8271d880244a03d4d290c75fa

SHA1
bc20dc9ca257c6a0573d521e702cbf0369fdd4b3

SHA256
f34fab44d1f6f3db482c87cf464a86ed6813805953403425658446990a8a2daf

SHA512
a2a17a6b653087200be8b3ca5cfc80fe4db087c4fc57214090326948622e48fe0afeaea7c63a955099501ed6dec3b87328822e398cced151a7d8fc78e5a25f34

Download Submit
\ProgramData\winrar\OWT.exe
Filesize
1.3MB

MD5
442068a8271d880244a03d4d290c75fa

SHA1
bc20dc9ca257c6a0573d521e702cbf0369fdd4b3

SHA256
f34fab44d1f6f3db482c87cf464a86ed6813805953403425658446990a8a2daf

SHA512
a2a17a6b653087200be8b3ca5cfc80fe4db087c4fc57214090326948622e48fe0afeaea7c63a955099501ed6dec3b87328822e398cced151a7d8fc78e5a25f34

Download Submit
\ProgramData\winrar\OWT.exe
Filesize
1.3MB

MD5
442068a8271d880244a03d4d290c75fa

SHA1
bc20dc9ca257c6a0573d521e702cbf0369fdd4b3

SHA256
f34fab44d1f6f3db482c87cf464a86ed6813805953403425658446990a8a2daf

SHA512
a2a17a6b653087200be8b3ca5cfc80fe4db087c4fc57214090326948622e48fe0afeaea7c63a955099501ed6dec3b87328822e398cced151a7d8fc78e5a25f34

Download Submit
\ProgramData\winrar\OWT.exe
Filesize
1.3MB

MD5
442068a8271d880244a03d4d290c75fa

SHA1
bc20dc9ca257c6a0573d521e702cbf0369fdd4b3

SHA256
f34fab44d1f6f3db482c87cf464a86ed6813805953403425658446990a8a2daf

SHA512
a2a17a6b653087200be8b3ca5cfc80fe4db087c4fc57214090326948622e48fe0afeaea7c63a955099501ed6dec3b87328822e398cced151a7d8fc78e5a25f34

Download Submit
memory/384-99-0x000007FEFCD10000-0x000007FEFCD7C000-memory.dmp

Filesize
432KB

Download
memory/384-98-0x0000000001080000-0x000000000123C000-memory.dmp

Filesize
1.7MB

Download
memory/384-107-0x0000000001080000-0x000000000123C000-memory.dmp

Filesize
1.7MB

Download
memory/384-106-0x0000000001080000-0x000000000123C000-memory.dmp

Filesize
1.7MB

Download
memory/384-105-0x000007FEFEFB0000-0x000007FEFF1B3000-memory.dmp

Filesize
2.0MB

Download
memory/384-104-0x000007FEFE520000-0x000007FEFE64D000-memory.dmp

Filesize
1.2MB

Download
memory/384-103-0x000007FEF4B40000-0x000007FEF552C000-memory.dmp

Filesize
9.9MB

Download
memory/384-102-0x000007FEFE3A0000-0x000007FEFE47B000-memory.dmp

Filesize
876KB

Download
memory/384-101-0x000007FEF64D0000-0x000007FEF65C7000-memory.dmp

Filesize
988KB

Download
memory/384-129-0x0000000000510000-0x0000000000553000-memory.dmp

Filesize
268KB

Download
memory/384-100-0x000007FEFED10000-0x000007FEFED81000-memory.dmp

Filesize
452KB

Download
memory/384-108-0x000007FEF6100000-0x000007FEF622C000-memory.dmp

Filesize
1.2MB

Download
memory/384-97-0x0000000076D90000-0x0000000076EAF000-memory.dmp

Filesize
1.1MB

Download
memory/384-96-0x0000000000510000-0x0000000000553000-memory.dmp

Filesize
268KB

Download
memory/384-130-0x0000000001080000-0x000000000123C000-memory.dmp

Filesize
1.7MB

Download
memory/384-95-0x000007FEFE300000-0x000007FEFE39F000-memory.dmp

Filesize
636KB

Download
memory/384-94-0x0000000076C90000-0x0000000076D8A000-memory.dmp

Filesize
1000KB

Download
memory/384-93-0x000007FEFD110000-0x000007FEFD177000-memory.dmp

Filesize
412KB

Download
memory/384-92-0x000007FEF6A50000-0x000007FEF6AEC000-memory.dmp

Filesize
624KB

Download
memory/384-91-0x000007FEF65D0000-0x000007FEF663F000-memory.dmp

Filesize
444KB

Download
memory/384-121-0x000007FEFB2D0000-0x000007FEFB4E5000-memory.dmp

Filesize
2.1MB

Download
memory/384-124-0x000007FEFE960000-0x000007FEFEA37000-memory.dmp

Filesize
860KB

Download
memory/384-87-0x0000000000000000-mapping.dmp

Download
memory/520-73-0x000007FEFB731000-0x000007FEFB733000-memory.dmp

Filesize
8KB

Download
memory/520-72-0x0000000000000000-mapping.dmp

Download
memory/520-84-0x0000000002774000-0x0000000002777000-memory.dmp

Filesize
12KB

Download
memory/520-82-0x000000001B780000-0x000000001BA7F000-memory.dmp

Filesize
3.0MB

Download
memory/520-83-0x0000000002774000-0x0000000002777000-memory.dmp

Filesize
12KB

Download
memory/520-81-0x000007FEF53C0000-0x000007FEF5F1D000-memory.dmp

Filesize
11.4MB

Download
memory/520-76-0x000007FEEC9A0000-0x000007FEED3C3000-memory.dmp

Filesize
10.1MB

Download
memory/520-85-0x000000000277B000-0x000000000279A000-memory.dmp

Filesize
124KB

Download
memory/544-114-0x0000000000000000-mapping.dmp

Download
memory/552-123-0x0000000000000000-mapping.dmp

Download
memory/968-119-0x0000000002984000-0x0000000002987000-memory.dmp

Filesize
12KB

Download
memory/968-120-0x000000000298B000-0x00000000029AA000-memory.dmp

Filesize
124KB

Download
memory/968-118-0x000000001B880000-0x000000001BB7F000-memory.dmp

Filesize
3.0MB

Download
memory/968-117-0x0000000002984000-0x0000000002987000-memory.dmp

Filesize
12KB

Download
memory/968-109-0x0000000000000000-mapping.dmp

Download
memory/968-116-0x000007FEEB890000-0x000007FEEC3ED000-memory.dmp

Filesize
11.4MB

Download
memory/968-115-0x000007FEEC3F0000-0x000007FEECE13000-memory.dmp

Filesize
10.1MB

Download
memory/1276-75-0x000007FEFECF0000-0x000007FEFED0F000-memory.dmp

Filesize
124KB

Download
memory/1276-77-0x00000000002D0000-0x000000000048C000-memory.dmp

Filesize
1.7MB

Download
memory/1276-66-0x00000000002D0000-0x000000000048C000-memory.dmp

Filesize
1.7MB

Download
memory/1276-68-0x000007FEFE520000-0x000007FEFE64D000-memory.dmp

Filesize
1.2MB

Download
memory/1276-65-0x000007FEF5530000-0x000007FEF5F1C000-memory.dmp

Filesize
9.9MB

Download
memory/1276-56-0x000007FEF65A0000-0x000007FEF663C000-memory.dmp

Filesize
624KB

Download
memory/1276-69-0x000007FEFEFB0000-0x000007FEFF1B3000-memory.dmp

Filesize
2.0MB

Download
memory/1276-70-0x00000000002D0000-0x000000000048C000-memory.dmp

Filesize
1.7MB

Download
memory/1276-71-0x000007FEF6230000-0x000007FEF635C000-memory.dmp

Filesize
1.2MB

Download
memory/1276-55-0x000007FEF6A80000-0x000007FEF6AEF000-memory.dmp

Filesize
444KB

Download
memory/1276-57-0x000007FEFD110000-0x000007FEFD177000-memory.dmp

Filesize
412KB

Download
memory/1276-67-0x00000000000E0000-0x0000000000123000-memory.dmp

Filesize
268KB

Download
memory/1276-78-0x00000000000E0000-0x0000000000123000-memory.dmp

Filesize
268KB

Download
memory/1276-64-0x000007FEFE3A0000-0x000007FEFE47B000-memory.dmp

Filesize
876KB

Download
memory/1276-58-0x0000000076C90000-0x0000000076D8A000-memory.dmp

Filesize
1000KB

Download
memory/1276-63-0x000007FEF64A0000-0x000007FEF6597000-memory.dmp

Filesize
988KB

Download
memory/1276-62-0x000007FEFED10000-0x000007FEFED81000-memory.dmp

Filesize
452KB

Download
memory/1276-61-0x000007FEFCD10000-0x000007FEFCD7C000-memory.dmp

Filesize
432KB

Download
memory/1276-60-0x0000000076D90000-0x0000000076EAF000-memory.dmp

Filesize
1.1MB

Download
memory/1276-59-0x000007FEFE300000-0x000007FEFE39F000-memory.dmp

Filesize
636KB

Download
memory/1624-112-0x0000000000000000-mapping.dmp

Download
memory/1700-74-0x0000000000000000-mapping.dmp

Download
memory/1788-80-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads