c3f1fc4cfcfff38f0751234ecc0cceba6d48cfc060cca2b36f8a3d79618ca6d9

Analysis

max time kernel
32s
max time network
50s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 14:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c3f1fc4cfcfff38f0751234ecc0cceba6d48cfc060cca2b36f8a3d79618ca6d9.exe
Size

589KB
MD5

ca08bb3f98ea05d3a39a5afb18047895
SHA1

d1da66b67829bb011a17dc1ed5467c9352b2258b
SHA256

c3f1fc4cfcfff38f0751234ecc0cceba6d48cfc060cca2b36f8a3d79618ca6d9
SHA512

417cef60104fce0f0ffc30c30d7d89406c829225fded5800713ecb9bac03ad8ddbb3cad5a1f2bcf1b24b59de9358e02bce1297d90bd3e3d42b76c0829b3f20ee
SSDEEP

12288:beykUj6dav1aMuD6upVUzhV8R3qX7BHzqGoKre+0crnECYJIdM:bOUj6UcPDPp6zhekRzXS+XDvq

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
788	update.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00090000000126c9-55.dat	upx
behavioral1/memory/872-56-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/872-59-0x0000000002F60000-0x0000000002F74000-memory.dmp	upx
behavioral1/files/0x00090000000126c9-61.dat	upx
behavioral1/files/0x00090000000126c9-64.dat	upx
behavioral1/files/0x00090000000126c9-67.dat	upx
behavioral1/files/0x00090000000126c9-66.dat	upx
behavioral1/files/0x00090000000126c9-65.dat	upx
behavioral1/memory/872-63-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/788-70-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/files/0x00090000000126c9-73.dat	upx
behavioral1/files/0x00090000000126c9-74.dat	upx
behavioral1/files/0x00090000000126c9-75.dat	upx
behavioral1/files/0x00090000000126c9-76.dat	upx

Loads dropped DLL 8 IoCs

pid	Process
872	c3f1fc4cfcfff38f0751234ecc0cceba6d48cfc060cca2b36f8a3d79618ca6d9.exe
788	update.exe
788	update.exe
788	update.exe
856	WerFault.exe
856	WerFault.exe
856	WerFault.exe
856	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
856	788	WerFault.exe	28

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 872 wrote to memory of 788	872	c3f1fc4cfcfff38f0751234ecc0cceba6d48cfc060cca2b36f8a3d79618ca6d9.exe	28
PID 872 wrote to memory of 788	872	c3f1fc4cfcfff38f0751234ecc0cceba6d48cfc060cca2b36f8a3d79618ca6d9.exe	28
PID 872 wrote to memory of 788	872	c3f1fc4cfcfff38f0751234ecc0cceba6d48cfc060cca2b36f8a3d79618ca6d9.exe	28
PID 872 wrote to memory of 788	872	c3f1fc4cfcfff38f0751234ecc0cceba6d48cfc060cca2b36f8a3d79618ca6d9.exe	28
PID 872 wrote to memory of 788	872	c3f1fc4cfcfff38f0751234ecc0cceba6d48cfc060cca2b36f8a3d79618ca6d9.exe	28
PID 872 wrote to memory of 788	872	c3f1fc4cfcfff38f0751234ecc0cceba6d48cfc060cca2b36f8a3d79618ca6d9.exe	28
PID 872 wrote to memory of 788	872	c3f1fc4cfcfff38f0751234ecc0cceba6d48cfc060cca2b36f8a3d79618ca6d9.exe	28
PID 788 wrote to memory of 856	788	update.exe	29
PID 788 wrote to memory of 856	788	update.exe	29
PID 788 wrote to memory of 856	788	update.exe	29
PID 788 wrote to memory of 856	788	update.exe	29
PID 788 wrote to memory of 856	788	update.exe	29
PID 788 wrote to memory of 856	788	update.exe	29
PID 788 wrote to memory of 856	788	update.exe	29

C:\Users\Admin\AppData\Local\Temp\c3f1fc4cfcfff38f0751234ecc0cceba6d48cfc060cca2b36f8a3d79618ca6d9.exe
"C:\Users\Admin\AppData\Local\Temp\c3f1fc4cfcfff38f0751234ecc0cceba6d48cfc060cca2b36f8a3d79618ca6d9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:872
- C:\Users\Admin\AppData\Local\Temp\update.exe
  "C:\Users\Admin\AppData\Local\Temp\update.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:788
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 788 -s 256
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
36KB

MD5
ab2f4264fdb0659740d60384f8bdda5e

SHA1
5b8b5858169462915907e0007ce4a3b450a3e4d8

SHA256
27764ea83bcd5243b1e7fcdfccd265930eec7aecf7bd87d58cb793f8f6372d6d

SHA512
58705fb6486dc9507894603c605a4bc384fcf2ca8ba66ba66acf50e5e771c00087f225bf0b814ad8d01099ffe4ac661f7f6ce311b9b71b1f19295938b2e403d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
36KB

MD5
ab2f4264fdb0659740d60384f8bdda5e

SHA1
5b8b5858169462915907e0007ce4a3b450a3e4d8

SHA256
27764ea83bcd5243b1e7fcdfccd265930eec7aecf7bd87d58cb793f8f6372d6d

SHA512
58705fb6486dc9507894603c605a4bc384fcf2ca8ba66ba66acf50e5e771c00087f225bf0b814ad8d01099ffe4ac661f7f6ce311b9b71b1f19295938b2e403d1

Download Submit
\Users\Admin\AppData\Local\Temp\update.exe

Filesize
36KB

MD5
ab2f4264fdb0659740d60384f8bdda5e

SHA1
5b8b5858169462915907e0007ce4a3b450a3e4d8

SHA256
27764ea83bcd5243b1e7fcdfccd265930eec7aecf7bd87d58cb793f8f6372d6d

SHA512
58705fb6486dc9507894603c605a4bc384fcf2ca8ba66ba66acf50e5e771c00087f225bf0b814ad8d01099ffe4ac661f7f6ce311b9b71b1f19295938b2e403d1

Download Submit
\Users\Admin\AppData\Local\Temp\update.exe

Filesize
36KB

MD5
ab2f4264fdb0659740d60384f8bdda5e

SHA1
5b8b5858169462915907e0007ce4a3b450a3e4d8

SHA256
27764ea83bcd5243b1e7fcdfccd265930eec7aecf7bd87d58cb793f8f6372d6d

SHA512
58705fb6486dc9507894603c605a4bc384fcf2ca8ba66ba66acf50e5e771c00087f225bf0b814ad8d01099ffe4ac661f7f6ce311b9b71b1f19295938b2e403d1

Download Submit
\Users\Admin\AppData\Local\Temp\update.exe

Filesize
36KB

MD5
ab2f4264fdb0659740d60384f8bdda5e

SHA1
5b8b5858169462915907e0007ce4a3b450a3e4d8

SHA256
27764ea83bcd5243b1e7fcdfccd265930eec7aecf7bd87d58cb793f8f6372d6d

SHA512
58705fb6486dc9507894603c605a4bc384fcf2ca8ba66ba66acf50e5e771c00087f225bf0b814ad8d01099ffe4ac661f7f6ce311b9b71b1f19295938b2e403d1

Download Submit
\Users\Admin\AppData\Local\Temp\update.exe

Filesize
36KB

MD5
ab2f4264fdb0659740d60384f8bdda5e

SHA1
5b8b5858169462915907e0007ce4a3b450a3e4d8

SHA256
27764ea83bcd5243b1e7fcdfccd265930eec7aecf7bd87d58cb793f8f6372d6d

SHA512
58705fb6486dc9507894603c605a4bc384fcf2ca8ba66ba66acf50e5e771c00087f225bf0b814ad8d01099ffe4ac661f7f6ce311b9b71b1f19295938b2e403d1

Download Submit
\Users\Admin\AppData\Local\Temp\update.exe

Filesize
36KB

MD5
ab2f4264fdb0659740d60384f8bdda5e

SHA1
5b8b5858169462915907e0007ce4a3b450a3e4d8

SHA256
27764ea83bcd5243b1e7fcdfccd265930eec7aecf7bd87d58cb793f8f6372d6d

SHA512
58705fb6486dc9507894603c605a4bc384fcf2ca8ba66ba66acf50e5e771c00087f225bf0b814ad8d01099ffe4ac661f7f6ce311b9b71b1f19295938b2e403d1

Download Submit
\Users\Admin\AppData\Local\Temp\update.exe

Filesize
36KB

MD5
ab2f4264fdb0659740d60384f8bdda5e

SHA1
5b8b5858169462915907e0007ce4a3b450a3e4d8

SHA256
27764ea83bcd5243b1e7fcdfccd265930eec7aecf7bd87d58cb793f8f6372d6d

SHA512
58705fb6486dc9507894603c605a4bc384fcf2ca8ba66ba66acf50e5e771c00087f225bf0b814ad8d01099ffe4ac661f7f6ce311b9b71b1f19295938b2e403d1

Download Submit
\Users\Admin\AppData\Local\Temp\update.exe

Filesize
36KB

MD5
ab2f4264fdb0659740d60384f8bdda5e

SHA1
5b8b5858169462915907e0007ce4a3b450a3e4d8

SHA256
27764ea83bcd5243b1e7fcdfccd265930eec7aecf7bd87d58cb793f8f6372d6d

SHA512
58705fb6486dc9507894603c605a4bc384fcf2ca8ba66ba66acf50e5e771c00087f225bf0b814ad8d01099ffe4ac661f7f6ce311b9b71b1f19295938b2e403d1

Download Submit
\Users\Admin\AppData\Local\Temp\update.exe

Filesize
36KB

MD5
ab2f4264fdb0659740d60384f8bdda5e

SHA1
5b8b5858169462915907e0007ce4a3b450a3e4d8

SHA256
27764ea83bcd5243b1e7fcdfccd265930eec7aecf7bd87d58cb793f8f6372d6d

SHA512
58705fb6486dc9507894603c605a4bc384fcf2ca8ba66ba66acf50e5e771c00087f225bf0b814ad8d01099ffe4ac661f7f6ce311b9b71b1f19295938b2e403d1

Download Submit
memory/788-69-0x0000000000020000-0x0000000000034000-memory.dmp

Filesize
80KB

Download
memory/788-79-0x0000000000020000-0x0000000000034000-memory.dmp

Filesize
80KB

Download
memory/788-77-0x0000000000020000-0x0000000000034000-memory.dmp

Filesize
80KB

Download
memory/788-71-0x0000000000020000-0x0000000000034000-memory.dmp

Filesize
80KB

Download
memory/788-70-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/788-72-0x0000000000020000-0x0000000000034000-memory.dmp

Filesize
80KB

Download
memory/788-78-0x0000000000020000-0x0000000000034000-memory.dmp

Filesize
80KB

Download
memory/872-59-0x0000000002F60000-0x0000000002F74000-memory.dmp

Filesize
80KB

Download
memory/872-58-0x00000000002D0000-0x00000000002F7000-memory.dmp

Filesize
156KB

Download
memory/872-57-0x00000000002D0000-0x00000000002F7000-memory.dmp

Filesize
156KB

Download
memory/872-56-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/872-54-0x0000000076181000-0x0000000076183000-memory.dmp

Filesize
8KB

Download
memory/872-63-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download