1bfb3a5acd05809f023a9e36779aedf968d8f6ccd3ce36f555445efe5d45e7d7

Analysis

max time kernel
46s
max time network
52s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
26/11/2022, 23:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1bfb3a5acd05809f023a9e36779aedf968d8f6ccd3ce36f555445efe5d45e7d7.exe
Size

1.0MB
MD5

d5983b00e6fa2cfd49708832eec1a86c
SHA1

9a2ff1781fbad46f6f25fdbfdef8466c71bef9d1
SHA256

1bfb3a5acd05809f023a9e36779aedf968d8f6ccd3ce36f555445efe5d45e7d7
SHA512

97a1ba46fe44ee674d2e77b0738543623ebac1438c32975bf2ceec43ce6446f5f8edaca88b1aee06992bed67b85a5041136106d2d2057c9f92b3eba328005f45
SSDEEP

24576:OpY6Sppq4BgOrnHr8DnmBSkFISfYNrNjTLSxn:EGM4GOrnHwDQSkRfYNjXA

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1416	1bfb3a5acd05809f023a9e36779aedf968d8f6ccd3ce36f555445efe5d45e7d7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1292	1416	WerFault.exe	26

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1416	1bfb3a5acd05809f023a9e36779aedf968d8f6ccd3ce36f555445efe5d45e7d7.exe
1416	1bfb3a5acd05809f023a9e36779aedf968d8f6ccd3ce36f555445efe5d45e7d7.exe
1416	1bfb3a5acd05809f023a9e36779aedf968d8f6ccd3ce36f555445efe5d45e7d7.exe
1416	1bfb3a5acd05809f023a9e36779aedf968d8f6ccd3ce36f555445efe5d45e7d7.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1416 wrote to memory of 1292	1416	1bfb3a5acd05809f023a9e36779aedf968d8f6ccd3ce36f555445efe5d45e7d7.exe	27
PID 1416 wrote to memory of 1292	1416	1bfb3a5acd05809f023a9e36779aedf968d8f6ccd3ce36f555445efe5d45e7d7.exe	27
PID 1416 wrote to memory of 1292	1416	1bfb3a5acd05809f023a9e36779aedf968d8f6ccd3ce36f555445efe5d45e7d7.exe	27
PID 1416 wrote to memory of 1292	1416	1bfb3a5acd05809f023a9e36779aedf968d8f6ccd3ce36f555445efe5d45e7d7.exe	27

C:\Users\Admin\AppData\Local\Temp\1bfb3a5acd05809f023a9e36779aedf968d8f6ccd3ce36f555445efe5d45e7d7.exe
"C:\Users\Admin\AppData\Local\Temp\1bfb3a5acd05809f023a9e36779aedf968d8f6ccd3ce36f555445efe5d45e7d7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 464
  2⤵
  - Program crash
  PID:1292

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\1127174840797\LZMA.dll

Filesize
67KB

MD5
d0f2416807f04c559e6394a0a4c7f1d1

SHA1
7df43ffa3716156d282b1e37d12dd1122f0a762c

SHA256
0fe6a869cf220769a058f8d281f272ef72669e3587673e52b53f3f9650dcf1fc

SHA512
8199c967ad813216f2ef3094a7614c9ccc95d35a817fc685cb7823f36cc97f0279bddd0ec0bb8f07ee2445476aaea35548516841ee9cde53a8be395515457799

Download Submit
memory/1416-54-0x0000000074DC1000-0x0000000074DC3000-memory.dmp

Filesize
8KB

Download