99aef322902567d402e384e6e9ea82e093214ca5144df1190106931eec687440

Analysis

max time kernel
183s
max time network
208s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 23:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

99aef322902567d402e384e6e9ea82e093214ca5144df1190106931eec687440.exe
Size

183KB
MD5

a060d46100153671c7755e322c8ef05c
SHA1

c93f45bb67d18cfe81bef57a760c76cfbc5cf89e
SHA256

99aef322902567d402e384e6e9ea82e093214ca5144df1190106931eec687440
SHA512

2e525bdc6046cd8d36edcf0a4f3b0bb2d972c3e1c577fbc46c4906d780e0013a7a1561173fb2620f3e94f7a613fb1b1ef57a42611e238dcaae7abeb65702c231
SSDEEP

3072:IgXdZt9P6D3XJbCitG3Iv6MLSaJa93Yvut38WEZgg1P2kJxKOEsdYPe7q8lHr6uC:Ie344itCIyXa4OGtsWEZz1OkJ4adYPyG

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
3356	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4152	3356	WerFault.exe	82
4528	3356	WerFault.exe	82

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3328 wrote to memory of 3356	3328	99aef322902567d402e384e6e9ea82e093214ca5144df1190106931eec687440.exe	82
PID 3328 wrote to memory of 3356	3328	99aef322902567d402e384e6e9ea82e093214ca5144df1190106931eec687440.exe	82
PID 3328 wrote to memory of 3356	3328	99aef322902567d402e384e6e9ea82e093214ca5144df1190106931eec687440.exe	82
PID 3356 wrote to memory of 4152	3356	rundll32.exe	85
PID 3356 wrote to memory of 4152	3356	rundll32.exe	85
PID 3356 wrote to memory of 4152	3356	rundll32.exe	85

C:\Users\Admin\AppData\Local\Temp\99aef322902567d402e384e6e9ea82e093214ca5144df1190106931eec687440.exe
"C:\Users\Admin\AppData\Local\Temp\99aef322902567d402e384e6e9ea82e093214ca5144df1190106931eec687440.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3328
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\miniloader.dll",Install C:\Users\Admin\AppData\Local\Temp\activate.dat
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3356
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 664
    3⤵
    - Program crash
    PID:4152
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 664
    3⤵
    - Program crash
    PID:4528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3356 -ip 3356
1⤵
PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3356 -ip 3356
1⤵
PID:1188

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\miniloader.dll

Filesize
192KB

MD5
c231cd57c8c6ca8e4215d20d46b265bf

SHA1
2b0853c6b42c080d54e197bb75758300db8fe1f2

SHA256
5a2dc25042efefb5c099296cb37cccb237aee9197865435676c1b87b16de8225

SHA512
80f4fdbccb9e24b1dee487eb67c35b780a994aca301af282993d82e7de684adf77e653fcd77709305694ed10257bc67883385df68ed42fbae8560282ce7ba9cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\miniloader.dll

Filesize
192KB

MD5
c231cd57c8c6ca8e4215d20d46b265bf

SHA1
2b0853c6b42c080d54e197bb75758300db8fe1f2

SHA256
5a2dc25042efefb5c099296cb37cccb237aee9197865435676c1b87b16de8225

SHA512
80f4fdbccb9e24b1dee487eb67c35b780a994aca301af282993d82e7de684adf77e653fcd77709305694ed10257bc67883385df68ed42fbae8560282ce7ba9cc

Download Submit
memory/3356-135-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download