cec38dab7cb263d1cd96f3908a87d7282df4dcdf3e362b773414e4a2d766862d

Analysis

max time kernel
43s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 17:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cec38dab7cb263d1cd96f3908a87d7282df4dcdf3e362b773414e4a2d766862d.exe
Size

443KB
MD5

3e9b02fef05c3364a4d688f3b7ea8741
SHA1

ecb95240df4befdbdc96e3697b13a32a43296095
SHA256

cec38dab7cb263d1cd96f3908a87d7282df4dcdf3e362b773414e4a2d766862d
SHA512

1fa50f692e8be489ae923ec0e5fec8aca41e7eaba32d4471e795051be2ffb8040c569b246ff351c3e49a6056eea027113baf1c94bff890aebcd83062606fbe29
SSDEEP

12288:XFJs3XraGmcmd/26o9juQ+pDQZPCgev4YYbTu:Xjs3XFxxpJ+pDKQJoTu

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1596-56-0x0000000000400000-0x00000000004E5000-memory.dmp	upx

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/1596-56-0x0000000000400000-0x00000000004E5000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1776 1596 WerFault.exe cec38dab7cb263d1cd96f3908a87d7282df4dcdf3e362b773414e4a2d766862d.exe

pid	pid_target	process	target process
1776	1596	WerFault.exe	cec38dab7cb263d1cd96f3908a87d7282df4dcdf3e362b773414e4a2d766862d.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

cec38dab7cb263d1cd96f3908a87d7282df4dcdf3e362b773414e4a2d766862d.exe

description	pid	process	target process
PID 1596 wrote to memory of 1776	1596	cec38dab7cb263d1cd96f3908a87d7282df4dcdf3e362b773414e4a2d766862d.exe	WerFault.exe
PID 1596 wrote to memory of 1776	1596	cec38dab7cb263d1cd96f3908a87d7282df4dcdf3e362b773414e4a2d766862d.exe	WerFault.exe
PID 1596 wrote to memory of 1776	1596	cec38dab7cb263d1cd96f3908a87d7282df4dcdf3e362b773414e4a2d766862d.exe	WerFault.exe
PID 1596 wrote to memory of 1776	1596	cec38dab7cb263d1cd96f3908a87d7282df4dcdf3e362b773414e4a2d766862d.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\cec38dab7cb263d1cd96f3908a87d7282df4dcdf3e362b773414e4a2d766862d.exe
"C:\Users\Admin\AppData\Local\Temp\cec38dab7cb263d1cd96f3908a87d7282df4dcdf3e362b773414e4a2d766862d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 388
2⤵
- Program crash
PID:1776

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1596-54-0x0000000074C91000-0x0000000074C93000-memory.dmp

Filesize
8KB

Download
memory/1596-56-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/1776-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads