Analysis
-
max time kernel
202s -
max time network
208s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 06:56
Static task
static1
Behavioral task
behavioral1
Sample
1fe8e5f03a721f0a37fbbf0ea5779d6d.exe
Resource
win7-20220901-en
General
-
Target
1fe8e5f03a721f0a37fbbf0ea5779d6d.exe
-
Size
275KB
-
MD5
1fe8e5f03a721f0a37fbbf0ea5779d6d
-
SHA1
ef876bed0fa429ee30b5395b69a89ad4d74a3fcc
-
SHA256
5eb0b4b21107152dfbfaed3a9c61233233d3cab8a650cbb88dcfc34cff1f99ec
-
SHA512
35331dc01b743553abc6e17c9aced57fa28d5bca9a0292b6ec5fc6f60574b8710605d7a4fa34a7331847dd4c9349ae1017d44aba975358612988a8a2c49cadac
-
SSDEEP
6144:+FU/LHPiDaqkg7kKCfVWkF6N+k17tzTpq:+FYjiDaTgvsu7hT
Malware Config
Extracted
nymaim
45.139.105.171
85.31.46.167
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1fe8e5f03a721f0a37fbbf0ea5779d6d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 1fe8e5f03a721f0a37fbbf0ea5779d6d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 8 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 484 2544 WerFault.exe 1fe8e5f03a721f0a37fbbf0ea5779d6d.exe 3368 2544 WerFault.exe 1fe8e5f03a721f0a37fbbf0ea5779d6d.exe 3160 2544 WerFault.exe 1fe8e5f03a721f0a37fbbf0ea5779d6d.exe 1484 2544 WerFault.exe 1fe8e5f03a721f0a37fbbf0ea5779d6d.exe 3936 2544 WerFault.exe 1fe8e5f03a721f0a37fbbf0ea5779d6d.exe 2896 2544 WerFault.exe 1fe8e5f03a721f0a37fbbf0ea5779d6d.exe 2968 2544 WerFault.exe 1fe8e5f03a721f0a37fbbf0ea5779d6d.exe 4960 2544 WerFault.exe 1fe8e5f03a721f0a37fbbf0ea5779d6d.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 4968 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 4968 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
1fe8e5f03a721f0a37fbbf0ea5779d6d.execmd.exedescription pid process target process PID 2544 wrote to memory of 2220 2544 1fe8e5f03a721f0a37fbbf0ea5779d6d.exe cmd.exe PID 2544 wrote to memory of 2220 2544 1fe8e5f03a721f0a37fbbf0ea5779d6d.exe cmd.exe PID 2544 wrote to memory of 2220 2544 1fe8e5f03a721f0a37fbbf0ea5779d6d.exe cmd.exe PID 2220 wrote to memory of 4968 2220 cmd.exe taskkill.exe PID 2220 wrote to memory of 4968 2220 cmd.exe taskkill.exe PID 2220 wrote to memory of 4968 2220 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1fe8e5f03a721f0a37fbbf0ea5779d6d.exe"C:\Users\Admin\AppData\Local\Temp\1fe8e5f03a721f0a37fbbf0ea5779d6d.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 6922⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 7642⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 9482⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 9562⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 7922⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 9602⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 9802⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "1fe8e5f03a721f0a37fbbf0ea5779d6d.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\1fe8e5f03a721f0a37fbbf0ea5779d6d.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "1fe8e5f03a721f0a37fbbf0ea5779d6d.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 9842⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2544 -ip 25441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2544 -ip 25441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2544 -ip 25441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2544 -ip 25441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2544 -ip 25441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2544 -ip 25441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2544 -ip 25441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2544 -ip 25441⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2220-136-0x0000000000000000-mapping.dmp
-
memory/2544-132-0x00000000009EE000-0x0000000000A15000-memory.dmpFilesize
156KB
-
memory/2544-133-0x0000000000900000-0x0000000000940000-memory.dmpFilesize
256KB
-
memory/2544-134-0x0000000000400000-0x0000000000663000-memory.dmpFilesize
2.4MB
-
memory/2544-135-0x00000000009EE000-0x0000000000A15000-memory.dmpFilesize
156KB
-
memory/2544-138-0x00000000009EE000-0x0000000000A15000-memory.dmpFilesize
156KB
-
memory/2544-139-0x0000000000400000-0x0000000000663000-memory.dmpFilesize
2.4MB
-
memory/4968-137-0x0000000000000000-mapping.dmp