baf40ef47649293a383d12b7b6ccc27b893ac757ffc816cbd54784a9819b09f2

Analysis

max time kernel
43s
max time network
48s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 08:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

baf40ef47649293a383d12b7b6ccc27b893ac757ffc816cbd54784a9819b09f2.exe
Size

222KB
MD5

9f84c9ecd51b4c80d90ae34d93f60993
SHA1

6f38a9ab31298873ad5befb16cee186d7545d55a
SHA256

baf40ef47649293a383d12b7b6ccc27b893ac757ffc816cbd54784a9819b09f2
SHA512

363af8489b9dde4ea7d38659d646201129e3a7bb40053b5200ea17902f46e3509d0f0cce8fff4d51ec422f94bd896fcadea84265d3b5dbeeb3d48205813f8daf
SSDEEP

6144:8d93ZBZMbqYgomHmXWValAHcv5NNyhTQrfWonYVhNlYX:8r3ZBIRi4G8v5NgcfWGX

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2028	15.exe

Loads dropped DLL 9 IoCs

pid	Process
1280	baf40ef47649293a383d12b7b6ccc27b893ac757ffc816cbd54784a9819b09f2.exe
1280	baf40ef47649293a383d12b7b6ccc27b893ac757ffc816cbd54784a9819b09f2.exe
2028	15.exe
2028	15.exe
2028	15.exe
564	WerFault.exe
564	WerFault.exe
564	WerFault.exe
564	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
564	2028	WerFault.exe	27

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1280 wrote to memory of 2028	1280	baf40ef47649293a383d12b7b6ccc27b893ac757ffc816cbd54784a9819b09f2.exe	27
PID 1280 wrote to memory of 2028	1280	baf40ef47649293a383d12b7b6ccc27b893ac757ffc816cbd54784a9819b09f2.exe	27
PID 1280 wrote to memory of 2028	1280	baf40ef47649293a383d12b7b6ccc27b893ac757ffc816cbd54784a9819b09f2.exe	27
PID 1280 wrote to memory of 2028	1280	baf40ef47649293a383d12b7b6ccc27b893ac757ffc816cbd54784a9819b09f2.exe	27
PID 1280 wrote to memory of 2028	1280	baf40ef47649293a383d12b7b6ccc27b893ac757ffc816cbd54784a9819b09f2.exe	27
PID 1280 wrote to memory of 2028	1280	baf40ef47649293a383d12b7b6ccc27b893ac757ffc816cbd54784a9819b09f2.exe	27
PID 1280 wrote to memory of 2028	1280	baf40ef47649293a383d12b7b6ccc27b893ac757ffc816cbd54784a9819b09f2.exe	27
PID 2028 wrote to memory of 564	2028	15.exe	28
PID 2028 wrote to memory of 564	2028	15.exe	28
PID 2028 wrote to memory of 564	2028	15.exe	28
PID 2028 wrote to memory of 564	2028	15.exe	28
PID 2028 wrote to memory of 564	2028	15.exe	28
PID 2028 wrote to memory of 564	2028	15.exe	28
PID 2028 wrote to memory of 564	2028	15.exe	28

C:\Users\Admin\AppData\Local\Temp\baf40ef47649293a383d12b7b6ccc27b893ac757ffc816cbd54784a9819b09f2.exe
"C:\Users\Admin\AppData\Local\Temp\baf40ef47649293a383d12b7b6ccc27b893ac757ffc816cbd54784a9819b09f2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1280
- C:\Users\Admin\AppData\Local\Temp\15.exe
  "C:\Users\Admin\AppData\Local\Temp\15.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 256
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:564

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\15.exe

Filesize
126KB

MD5
264bb9edac9b7f166c7aa8ebb9238ebf

SHA1
0121c1912a4ab05b08a7f43b8430276bb0798363

SHA256
f5acdb0603469661bd48d715906dd8c0f026d1c125df55e4699d4cc886f20f8a

SHA512
f19c5c4c5ac153806f60e046972a2c6079d872220f16679f20671c9f4716d7698d239db80a3c79ce929ae5ded9de92c2ef30b76d97a38dc0b44b026447c1a0a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\15.exe

Filesize
126KB

MD5
264bb9edac9b7f166c7aa8ebb9238ebf

SHA1
0121c1912a4ab05b08a7f43b8430276bb0798363

SHA256
f5acdb0603469661bd48d715906dd8c0f026d1c125df55e4699d4cc886f20f8a

SHA512
f19c5c4c5ac153806f60e046972a2c6079d872220f16679f20671c9f4716d7698d239db80a3c79ce929ae5ded9de92c2ef30b76d97a38dc0b44b026447c1a0a4

Download Submit
\Users\Admin\AppData\Local\Temp\15.exe

Filesize
126KB

MD5
264bb9edac9b7f166c7aa8ebb9238ebf

SHA1
0121c1912a4ab05b08a7f43b8430276bb0798363

SHA256
f5acdb0603469661bd48d715906dd8c0f026d1c125df55e4699d4cc886f20f8a

SHA512
f19c5c4c5ac153806f60e046972a2c6079d872220f16679f20671c9f4716d7698d239db80a3c79ce929ae5ded9de92c2ef30b76d97a38dc0b44b026447c1a0a4

Download Submit
\Users\Admin\AppData\Local\Temp\15.exe

Filesize
126KB

MD5
264bb9edac9b7f166c7aa8ebb9238ebf

SHA1
0121c1912a4ab05b08a7f43b8430276bb0798363

SHA256
f5acdb0603469661bd48d715906dd8c0f026d1c125df55e4699d4cc886f20f8a

SHA512
f19c5c4c5ac153806f60e046972a2c6079d872220f16679f20671c9f4716d7698d239db80a3c79ce929ae5ded9de92c2ef30b76d97a38dc0b44b026447c1a0a4

Download Submit
\Users\Admin\AppData\Local\Temp\15.exe

Filesize
126KB

MD5
264bb9edac9b7f166c7aa8ebb9238ebf

SHA1
0121c1912a4ab05b08a7f43b8430276bb0798363

SHA256
f5acdb0603469661bd48d715906dd8c0f026d1c125df55e4699d4cc886f20f8a

SHA512
f19c5c4c5ac153806f60e046972a2c6079d872220f16679f20671c9f4716d7698d239db80a3c79ce929ae5ded9de92c2ef30b76d97a38dc0b44b026447c1a0a4

Download Submit
\Users\Admin\AppData\Local\Temp\15.exe

Filesize
126KB

MD5
264bb9edac9b7f166c7aa8ebb9238ebf

SHA1
0121c1912a4ab05b08a7f43b8430276bb0798363

SHA256
f5acdb0603469661bd48d715906dd8c0f026d1c125df55e4699d4cc886f20f8a

SHA512
f19c5c4c5ac153806f60e046972a2c6079d872220f16679f20671c9f4716d7698d239db80a3c79ce929ae5ded9de92c2ef30b76d97a38dc0b44b026447c1a0a4

Download Submit
\Users\Admin\AppData\Local\Temp\15.exe

Filesize
126KB

MD5
264bb9edac9b7f166c7aa8ebb9238ebf

SHA1
0121c1912a4ab05b08a7f43b8430276bb0798363

SHA256
f5acdb0603469661bd48d715906dd8c0f026d1c125df55e4699d4cc886f20f8a

SHA512
f19c5c4c5ac153806f60e046972a2c6079d872220f16679f20671c9f4716d7698d239db80a3c79ce929ae5ded9de92c2ef30b76d97a38dc0b44b026447c1a0a4

Download Submit
\Users\Admin\AppData\Local\Temp\15.exe

Filesize
126KB

MD5
264bb9edac9b7f166c7aa8ebb9238ebf

SHA1
0121c1912a4ab05b08a7f43b8430276bb0798363

SHA256
f5acdb0603469661bd48d715906dd8c0f026d1c125df55e4699d4cc886f20f8a

SHA512
f19c5c4c5ac153806f60e046972a2c6079d872220f16679f20671c9f4716d7698d239db80a3c79ce929ae5ded9de92c2ef30b76d97a38dc0b44b026447c1a0a4

Download Submit
\Users\Admin\AppData\Local\Temp\15.exe

Filesize
126KB

MD5
264bb9edac9b7f166c7aa8ebb9238ebf

SHA1
0121c1912a4ab05b08a7f43b8430276bb0798363

SHA256
f5acdb0603469661bd48d715906dd8c0f026d1c125df55e4699d4cc886f20f8a

SHA512
f19c5c4c5ac153806f60e046972a2c6079d872220f16679f20671c9f4716d7698d239db80a3c79ce929ae5ded9de92c2ef30b76d97a38dc0b44b026447c1a0a4

Download Submit
\Users\Admin\AppData\Local\Temp\15.exe

Filesize
126KB

MD5
264bb9edac9b7f166c7aa8ebb9238ebf

SHA1
0121c1912a4ab05b08a7f43b8430276bb0798363

SHA256
f5acdb0603469661bd48d715906dd8c0f026d1c125df55e4699d4cc886f20f8a

SHA512
f19c5c4c5ac153806f60e046972a2c6079d872220f16679f20671c9f4716d7698d239db80a3c79ce929ae5ded9de92c2ef30b76d97a38dc0b44b026447c1a0a4

Download Submit
\Users\Admin\AppData\Local\Temp\15.exe

Filesize
126KB

MD5
264bb9edac9b7f166c7aa8ebb9238ebf

SHA1
0121c1912a4ab05b08a7f43b8430276bb0798363

SHA256
f5acdb0603469661bd48d715906dd8c0f026d1c125df55e4699d4cc886f20f8a

SHA512
f19c5c4c5ac153806f60e046972a2c6079d872220f16679f20671c9f4716d7698d239db80a3c79ce929ae5ded9de92c2ef30b76d97a38dc0b44b026447c1a0a4

Download Submit
memory/1280-54-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download
memory/2028-69-0x0000000000230000-0x0000000000285000-memory.dmp

Filesize
340KB

Download
memory/2028-70-0x0000000000230000-0x0000000000285000-memory.dmp

Filesize
340KB

Download
memory/2028-71-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2028-72-0x0000000000230000-0x0000000000285000-memory.dmp

Filesize
340KB

Download