f6fcac10f90301fded82d28022cafdf163c1fe3fd1256e22881d42caad100ef0

Analysis

max time kernel
70s
max time network
81s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 13:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6fcac10f90301fded82d28022cafdf163c1fe3fd1256e22881d42caad100ef0.exe
Size

153KB
MD5

b0243a1d988e5098957056b42522cc4d
SHA1

f6a10e09e714e3b61d2d338f86c5fdd97ce4c9fb
SHA256

f6fcac10f90301fded82d28022cafdf163c1fe3fd1256e22881d42caad100ef0
SHA512

22ee4726d55219c5ca291dc8409c6044252a05ceccc4676e1534a2c326bb40fb8552a21e2814ee09ab82c1aa29ca2be9bd48001377125f466723a9d4b2d795d8
SSDEEP

3072:3u2PY/bNP86wgQksh1yqE2/pDIDByysDXetyZa/9VGShOHT:VPY/bNPbsHyqE2/SDByysTetga/yHT

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2000	mh2.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\aa.txt	f6fcac10f90301fded82d28022cafdf163c1fe3fd1256e22881d42caad100ef0.exe
File created	C:\WINDOWS\bb.txt	f6fcac10f90301fded82d28022cafdf163c1fe3fd1256e22881d42caad100ef0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
780	2000	WerFault.exe	28

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 2000	2044	f6fcac10f90301fded82d28022cafdf163c1fe3fd1256e22881d42caad100ef0.exe	28
PID 2044 wrote to memory of 2000	2044	f6fcac10f90301fded82d28022cafdf163c1fe3fd1256e22881d42caad100ef0.exe	28
PID 2044 wrote to memory of 2000	2044	f6fcac10f90301fded82d28022cafdf163c1fe3fd1256e22881d42caad100ef0.exe	28
PID 2044 wrote to memory of 2000	2044	f6fcac10f90301fded82d28022cafdf163c1fe3fd1256e22881d42caad100ef0.exe	28
PID 2000 wrote to memory of 780	2000	mh2.exe	29
PID 2000 wrote to memory of 780	2000	mh2.exe	29
PID 2000 wrote to memory of 780	2000	mh2.exe	29
PID 2000 wrote to memory of 780	2000	mh2.exe	29

C:\Users\Admin\AppData\Local\Temp\f6fcac10f90301fded82d28022cafdf163c1fe3fd1256e22881d42caad100ef0.exe
"C:\Users\Admin\AppData\Local\Temp\f6fcac10f90301fded82d28022cafdf163c1fe3fd1256e22881d42caad100ef0.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2044
- C:\mh2.exe
  "C:\mh2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 88
    3⤵
    - Program crash
    PID:780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\mh2.exe

Filesize
100KB

MD5
2036193b67e8a12bc47a1be820b9446f

SHA1
8a4fa659c10354dc4da905075d96b9e86c27616c

SHA256
ece7098d7d3acab5498d87787505d9367e6a5d11c13b8669bcff658e51d75299

SHA512
5b07e52e59304e042b3ee1c3c4dfc20467554b8a30c685274c22bb1c15b5579795a0d6f0610b01eb26c5ffc6b6a4cf1077284f606463f6441d48045a88401250

Download Submit
memory/2044-54-0x0000000076941000-0x0000000076943000-memory.dmp

Filesize
8KB

Download