cf171a99ee072800e254bf440c0bdcaeb66815569b8b683eb985b345b816bd1b

Analysis

max time kernel
91s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2022 04:31

Target

cf171a99ee072800e254bf440c0bdcaeb66815569b8b683eb985b345b816bd1b.exe
Size

470KB
MD5

ba27c6b81019a312eea3f6d060c7fa70
SHA1

81ee71045fcfedd2cfd68bf693a2d71829b3d949
SHA256

cf171a99ee072800e254bf440c0bdcaeb66815569b8b683eb985b345b816bd1b
SHA512

9f637e9505afcc6cb6a4b738f6db2cd913a64fcb0741bd5da2c94b1ed413c7ca6c77a36394039800e8450f41d058730e1fba25433b3096eac95e0658d7b192f8
SSDEEP

12288:FlVWvTJvuhNV7lE1Hw3ymsZc80kYMx54UJfQcWNtTirdDQd:FrETUx7lWfARy4U9QcSTEdDG

Score

8^/10

Executes dropped EXE 1 IoCs

pid	Process
3516	AdobeSFX.log

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4608	3516	WerFault.exe	83

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2820	cf171a99ee072800e254bf440c0bdcaeb66815569b8b683eb985b345b816bd1b.exe
2820	cf171a99ee072800e254bf440c0bdcaeb66815569b8b683eb985b345b816bd1b.exe
2820	cf171a99ee072800e254bf440c0bdcaeb66815569b8b683eb985b345b816bd1b.exe
2820	cf171a99ee072800e254bf440c0bdcaeb66815569b8b683eb985b345b816bd1b.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2820	cf171a99ee072800e254bf440c0bdcaeb66815569b8b683eb985b345b816bd1b.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3212 wrote to memory of 2820	3212	cf171a99ee072800e254bf440c0bdcaeb66815569b8b683eb985b345b816bd1b.exe	82
PID 3212 wrote to memory of 2820	3212	cf171a99ee072800e254bf440c0bdcaeb66815569b8b683eb985b345b816bd1b.exe	82
PID 3212 wrote to memory of 2820	3212	cf171a99ee072800e254bf440c0bdcaeb66815569b8b683eb985b345b816bd1b.exe	82
PID 2820 wrote to memory of 3516	2820	cf171a99ee072800e254bf440c0bdcaeb66815569b8b683eb985b345b816bd1b.exe	83
PID 2820 wrote to memory of 3516	2820	cf171a99ee072800e254bf440c0bdcaeb66815569b8b683eb985b345b816bd1b.exe	83
PID 2820 wrote to memory of 3516	2820	cf171a99ee072800e254bf440c0bdcaeb66815569b8b683eb985b345b816bd1b.exe	83

C:\Users\Admin\AppData\Local\Temp\cf171a99ee072800e254bf440c0bdcaeb66815569b8b683eb985b345b816bd1b.exe
"C:\Users\Admin\AppData\Local\Temp\cf171a99ee072800e254bf440c0bdcaeb66815569b8b683eb985b345b816bd1b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3212
- C:\Users\Admin\AppData\Local\Temp\cf171a99ee072800e254bf440c0bdcaeb66815569b8b683eb985b345b816bd1b.exe
  C:\Users\Admin\AppData\Local\Temp\cf171a99ee072800e254bf440c0bdcaeb66815569b8b683eb985b345b816bd1b.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Users\Admin\AppData\Local\Temp\AdobeSFX.log
    C:\Users\Admin\AppData\Local\Temp\\AdobeSFX.log
    3⤵
    - Executes dropped EXE
    PID:3516
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3516 -s 524
      4⤵
      Program crash
      PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3516 -ip 3516
1⤵
PID:4260

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\AdobeSFX.log

Filesize
714KB

MD5
1aaa1057ed1127f2ac89a367aaa36b2e

SHA1
88c3f162a889d72a071450fa0d3d7b0dcd75c3f7

SHA256
fb2cba9c9fd2c642af72fd5f59840a748ee78e3439e4e74fd4ffc7a79cea353a

SHA512
f287c8fc493869acae216a590771938bc14666d307812f170e0b503a32f41f745bb10053aaa48885accb125760e3bc3fe672084428b4ab26c720df3c2a53a542

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdobeSFX.log

Filesize
714KB

MD5
1aaa1057ed1127f2ac89a367aaa36b2e

SHA1
88c3f162a889d72a071450fa0d3d7b0dcd75c3f7

SHA256
fb2cba9c9fd2c642af72fd5f59840a748ee78e3439e4e74fd4ffc7a79cea353a

SHA512
f287c8fc493869acae216a590771938bc14666d307812f170e0b503a32f41f745bb10053aaa48885accb125760e3bc3fe672084428b4ab26c720df3c2a53a542

Download Submit
memory/3516-136-0x0000000000400000-0x0000000000B64000-memory.dmp

Filesize
7.4MB

Download
memory/3516-137-0x0000000001210000-0x0000000001253000-memory.dmp

Filesize
268KB

Download