a8adc7036a7a03918905f6dff69620b90effb8fc704c87c2f935b478181be704

Analysis

max time kernel
192s
max time network
210s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2022 12:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8adc7036a7a03918905f6dff69620b90effb8fc704c87c2f935b478181be704.exe
Size

2.0MB
MD5

f8a826ce8f80307131162fb39b9c4762
SHA1

98a5adf9c58ef4d210fc021e677d59fa03456984
SHA256

a8adc7036a7a03918905f6dff69620b90effb8fc704c87c2f935b478181be704
SHA512

b3ee3c357ffae7ff3b0ae0c9e391dbb24b3d11d2a200e518a52d37acc8d72a6cb94be7ee9650e63f7b77caa3b189f20ffcd0077c7bb658ca30eecc9c082e4270
SSDEEP

49152:7CAjljBKgO/eHXpSN56r+vPX6zAIxve4DZNsBniKpfKynky0lu:og0T6r+vPX6zAIxW4gBbncu

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
308	1832	WerFault.exe	79
5080	1832	WerFault.exe	79
4544	1832	WerFault.exe	79
4268	1832	WerFault.exe	79

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1832	a8adc7036a7a03918905f6dff69620b90effb8fc704c87c2f935b478181be704.exe

C:\Users\Admin\AppData\Local\Temp\a8adc7036a7a03918905f6dff69620b90effb8fc704c87c2f935b478181be704.exe
"C:\Users\Admin\AppData\Local\Temp\a8adc7036a7a03918905f6dff69620b90effb8fc704c87c2f935b478181be704.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1832
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 752
  2⤵
  - Program crash
  PID:308
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 752
  2⤵
  - Program crash
  PID:5080
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 1312
  2⤵
  - Program crash
  PID:4544
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 1316
  2⤵
  - Program crash
  PID:4268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1832 -ip 1832
1⤵
PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1832 -ip 1832
1⤵
PID:2472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1832 -ip 1832
1⤵
PID:1272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1832 -ip 1832
1⤵
PID:2972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1832-132-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/1832-133-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/1832-134-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download