Analysis
-
max time kernel
152s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 07:43
Static task
static1
Behavioral task
behavioral1
Sample
1bf9f2ba608fddd01e07cbcd9dd9faeb51ba56acd6664932920f3e52231ce972.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
1bf9f2ba608fddd01e07cbcd9dd9faeb51ba56acd6664932920f3e52231ce972.exe
Resource
win10v2004-20220812-en
General
-
Target
1bf9f2ba608fddd01e07cbcd9dd9faeb51ba56acd6664932920f3e52231ce972.exe
-
Size
596KB
-
MD5
b09a08656becc46cf4f0547926f90cf8
-
SHA1
0b6f000fad78f9d9082344c724c0a2637046080e
-
SHA256
1bf9f2ba608fddd01e07cbcd9dd9faeb51ba56acd6664932920f3e52231ce972
-
SHA512
cf77f7ee2720836db3f9480d244e5f3b9ed38e5ff981ae1b25c58e031571a6681886e5665c66b5303baf5880f9b75e3267e6a323c5cd18e0849bcb731bbf52de
-
SSDEEP
12288:ko0ZjcnNr3Sh4Ybgob0vSZcVm/IMnfiNAKrq4HMklp8W6Q1F:kPZjcnxY4eIvFMIQ6Pr7n
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
ufZKjp.exepid process 4240 ufZKjp.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ufZKjp.exedescription pid process target process PID 4240 set thread context of 4976 4240 ufZKjp.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1312 4976 WerFault.exe svchost.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
ufZKjp.exepid process 4240 ufZKjp.exe 4240 ufZKjp.exe 4240 ufZKjp.exe 4240 ufZKjp.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
1bf9f2ba608fddd01e07cbcd9dd9faeb51ba56acd6664932920f3e52231ce972.exepid process 3436 1bf9f2ba608fddd01e07cbcd9dd9faeb51ba56acd6664932920f3e52231ce972.exe 3436 1bf9f2ba608fddd01e07cbcd9dd9faeb51ba56acd6664932920f3e52231ce972.exe 3436 1bf9f2ba608fddd01e07cbcd9dd9faeb51ba56acd6664932920f3e52231ce972.exe 3436 1bf9f2ba608fddd01e07cbcd9dd9faeb51ba56acd6664932920f3e52231ce972.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
1bf9f2ba608fddd01e07cbcd9dd9faeb51ba56acd6664932920f3e52231ce972.exepid process 3436 1bf9f2ba608fddd01e07cbcd9dd9faeb51ba56acd6664932920f3e52231ce972.exe 3436 1bf9f2ba608fddd01e07cbcd9dd9faeb51ba56acd6664932920f3e52231ce972.exe 3436 1bf9f2ba608fddd01e07cbcd9dd9faeb51ba56acd6664932920f3e52231ce972.exe 3436 1bf9f2ba608fddd01e07cbcd9dd9faeb51ba56acd6664932920f3e52231ce972.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
1bf9f2ba608fddd01e07cbcd9dd9faeb51ba56acd6664932920f3e52231ce972.execmd.exeufZKjp.exedescription pid process target process PID 3436 wrote to memory of 3876 3436 1bf9f2ba608fddd01e07cbcd9dd9faeb51ba56acd6664932920f3e52231ce972.exe cmd.exe PID 3436 wrote to memory of 3876 3436 1bf9f2ba608fddd01e07cbcd9dd9faeb51ba56acd6664932920f3e52231ce972.exe cmd.exe PID 3436 wrote to memory of 3876 3436 1bf9f2ba608fddd01e07cbcd9dd9faeb51ba56acd6664932920f3e52231ce972.exe cmd.exe PID 3876 wrote to memory of 4240 3876 cmd.exe ufZKjp.exe PID 3876 wrote to memory of 4240 3876 cmd.exe ufZKjp.exe PID 3876 wrote to memory of 4240 3876 cmd.exe ufZKjp.exe PID 4240 wrote to memory of 4976 4240 ufZKjp.exe svchost.exe PID 4240 wrote to memory of 4976 4240 ufZKjp.exe svchost.exe PID 4240 wrote to memory of 4976 4240 ufZKjp.exe svchost.exe PID 4240 wrote to memory of 4976 4240 ufZKjp.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1bf9f2ba608fddd01e07cbcd9dd9faeb51ba56acd6664932920f3e52231ce972.exe"C:\Users\Admin\AppData\Local\Temp\1bf9f2ba608fddd01e07cbcd9dd9faeb51ba56acd6664932920f3e52231ce972.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ufZKjp.exe INRpVM2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ufZKjp.exeC:\Users\Admin\AppData\Local\Temp\ufZKjp.exe INRpVM3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 845⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4976 -ip 49761⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\INRpVMFilesize
7KB
MD58b6b5bb58abe252c0690506e05102e99
SHA1174d719bbbbae1e7a89d342c70ebc162769287b9
SHA256542a63f17deed9808021404219009bc7c63d4354e0fb28cb073e514f8bdf8ad4
SHA51288adf4b9a805b320fb6e1aa9d2d77f452d77d9f8fd06f8afcb000d8c9a037c59c163c794aa1f6c88c1fc138a6713f40fc686332c6e2b51e4ea28647432d5db69
-
C:\Users\Admin\AppData\Local\Temp\ufZKjp.exeFilesize
510KB
MD501d151ccd2a75bd713b8ce81d6509eb8
SHA1c751680d504bece45dc84e363e9e976fe77a8eac
SHA256a4d4dbf9e9124dbd055115706f2a2bfc8816b66cc5f52a148602f9fb0203b801
SHA5128d49a4d97ef38fe5c6bb875d3bc387fade75f9a5d06a494b6a8c9d87840aa3d7cd87343e6aad268a27a9a33390bef7cd8e10d8ebe1df9f7d1ba6a68fe844107d
-
C:\Users\Admin\AppData\Local\Temp\ufZKjp.exeFilesize
510KB
MD501d151ccd2a75bd713b8ce81d6509eb8
SHA1c751680d504bece45dc84e363e9e976fe77a8eac
SHA256a4d4dbf9e9124dbd055115706f2a2bfc8816b66cc5f52a148602f9fb0203b801
SHA5128d49a4d97ef38fe5c6bb875d3bc387fade75f9a5d06a494b6a8c9d87840aa3d7cd87343e6aad268a27a9a33390bef7cd8e10d8ebe1df9f7d1ba6a68fe844107d
-
C:\Users\Admin\AppData\Local\Temp\vujVHJ.txtFilesize
235KB
MD5ad733659b0fa0ca5bb21c4de23d291e7
SHA14ea03e36ad34f8fb43ea390fe662e069dec598e5
SHA2569c7d314ddc390b3805916fc6bf809663a9777c0560cd042b768c07a2006c55ce
SHA512692ae106b6ba48929ebfb081718b30c9fb6efd5cb3c1e1d7fbc92665267b0812e17f0912b1897ba0a58792cd9c6f040ecc12c64fd9fd1619b1d7ce5bf3cd3811
-
memory/3876-132-0x0000000000000000-mapping.dmp
-
memory/4240-133-0x0000000000000000-mapping.dmp
-
memory/4976-138-0x0000000000000000-mapping.dmp