Analysis
-
max time kernel
152s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 06:56
Static task
static1
Behavioral task
behavioral1
Sample
1fe8e5f03a721f0a37fbbf0ea5779d6d.exe
Resource
win7-20220812-en
General
-
Target
1fe8e5f03a721f0a37fbbf0ea5779d6d.exe
-
Size
275KB
-
MD5
1fe8e5f03a721f0a37fbbf0ea5779d6d
-
SHA1
ef876bed0fa429ee30b5395b69a89ad4d74a3fcc
-
SHA256
5eb0b4b21107152dfbfaed3a9c61233233d3cab8a650cbb88dcfc34cff1f99ec
-
SHA512
35331dc01b743553abc6e17c9aced57fa28d5bca9a0292b6ec5fc6f60574b8710605d7a4fa34a7331847dd4c9349ae1017d44aba975358612988a8a2c49cadac
-
SSDEEP
6144:+FU/LHPiDaqkg7kKCfVWkF6N+k17tzTpq:+FYjiDaTgvsu7hT
Malware Config
Extracted
nymaim
45.139.105.171
85.31.46.167
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1fe8e5f03a721f0a37fbbf0ea5779d6d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 1fe8e5f03a721f0a37fbbf0ea5779d6d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 7 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 1516 2992 WerFault.exe 1fe8e5f03a721f0a37fbbf0ea5779d6d.exe 4680 2992 WerFault.exe 1fe8e5f03a721f0a37fbbf0ea5779d6d.exe 3380 2992 WerFault.exe 1fe8e5f03a721f0a37fbbf0ea5779d6d.exe 4868 2992 WerFault.exe 1fe8e5f03a721f0a37fbbf0ea5779d6d.exe 3284 2992 WerFault.exe 1fe8e5f03a721f0a37fbbf0ea5779d6d.exe 4256 2992 WerFault.exe 1fe8e5f03a721f0a37fbbf0ea5779d6d.exe 1860 2992 WerFault.exe 1fe8e5f03a721f0a37fbbf0ea5779d6d.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1848 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 1848 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
1fe8e5f03a721f0a37fbbf0ea5779d6d.execmd.exedescription pid process target process PID 2992 wrote to memory of 4084 2992 1fe8e5f03a721f0a37fbbf0ea5779d6d.exe cmd.exe PID 2992 wrote to memory of 4084 2992 1fe8e5f03a721f0a37fbbf0ea5779d6d.exe cmd.exe PID 2992 wrote to memory of 4084 2992 1fe8e5f03a721f0a37fbbf0ea5779d6d.exe cmd.exe PID 4084 wrote to memory of 1848 4084 cmd.exe taskkill.exe PID 4084 wrote to memory of 1848 4084 cmd.exe taskkill.exe PID 4084 wrote to memory of 1848 4084 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1fe8e5f03a721f0a37fbbf0ea5779d6d.exe"C:\Users\Admin\AppData\Local\Temp\1fe8e5f03a721f0a37fbbf0ea5779d6d.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 7322⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 7522⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 9242⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 9122⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 9122⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 9442⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "1fe8e5f03a721f0a37fbbf0ea5779d6d.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\1fe8e5f03a721f0a37fbbf0ea5779d6d.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "1fe8e5f03a721f0a37fbbf0ea5779d6d.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 10602⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2992 -ip 29921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2992 -ip 29921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2992 -ip 29921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2992 -ip 29921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2992 -ip 29921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2992 -ip 29921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2992 -ip 29921⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1848-136-0x0000000000000000-mapping.dmp
-
memory/2992-132-0x000000000097E000-0x00000000009A5000-memory.dmpFilesize
156KB
-
memory/2992-133-0x0000000000900000-0x0000000000940000-memory.dmpFilesize
256KB
-
memory/2992-134-0x0000000000400000-0x0000000000663000-memory.dmpFilesize
2.4MB
-
memory/2992-137-0x000000000097E000-0x00000000009A5000-memory.dmpFilesize
156KB
-
memory/2992-138-0x0000000000400000-0x0000000000663000-memory.dmpFilesize
2.4MB
-
memory/4084-135-0x0000000000000000-mapping.dmp