c6041a556adcd2512f5ba110a2f2702d1b77226d1864e7606df99de9829f3441

Analysis

max time kernel
48s
max time network
52s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
03-12-2022 13:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c6041a556adcd2512f5ba110a2f2702d1b77226d1864e7606df99de9829f3441.exe
Size

172KB
MD5

6154c7ea76642820f2db3a86491405e7
SHA1

421be380ab18041f2573db9f5cae7c77127d923d
SHA256

c6041a556adcd2512f5ba110a2f2702d1b77226d1864e7606df99de9829f3441
SHA512

23b75e5b04a810f00dc5126f0f69372469f9ae1beb80f578789cc3aab55581f3af97203299e95042cf36e694ef68231f592d37fa133a39ac08f27a16ff065820
SSDEEP

3072:7N0GPaXTWQmnfizgd3AWO0/5OXb6e4kRoRicExK6zzama+9eQrso:yrC8P4Tf2zzRaee

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1760	c6041a556MBXQ.exe

Deletes itself 1 IoCs

pid	Process
1760	c6041a556MBXQ.exe

Loads dropped DLL 9 IoCs

pid	Process
1536	c6041a556adcd2512f5ba110a2f2702d1b77226d1864e7606df99de9829f3441.exe
1536	c6041a556adcd2512f5ba110a2f2702d1b77226d1864e7606df99de9829f3441.exe
588	WerFault.exe
588	WerFault.exe
588	WerFault.exe
588	WerFault.exe
588	WerFault.exe
588	WerFault.exe
588	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
588	1760	WerFault.exe	26

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1760	c6041a556MBXQ.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1760	c6041a556MBXQ.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1536 wrote to memory of 1760	1536	c6041a556adcd2512f5ba110a2f2702d1b77226d1864e7606df99de9829f3441.exe	26
PID 1536 wrote to memory of 1760	1536	c6041a556adcd2512f5ba110a2f2702d1b77226d1864e7606df99de9829f3441.exe	26
PID 1536 wrote to memory of 1760	1536	c6041a556adcd2512f5ba110a2f2702d1b77226d1864e7606df99de9829f3441.exe	26
PID 1536 wrote to memory of 1760	1536	c6041a556adcd2512f5ba110a2f2702d1b77226d1864e7606df99de9829f3441.exe	26
PID 1760 wrote to memory of 588	1760	c6041a556MBXQ.exe	27
PID 1760 wrote to memory of 588	1760	c6041a556MBXQ.exe	27
PID 1760 wrote to memory of 588	1760	c6041a556MBXQ.exe	27
PID 1760 wrote to memory of 588	1760	c6041a556MBXQ.exe	27

C:\Users\Admin\AppData\Local\Temp\c6041a556adcd2512f5ba110a2f2702d1b77226d1864e7606df99de9829f3441.exe
"C:\Users\Admin\AppData\Local\Temp\c6041a556adcd2512f5ba110a2f2702d1b77226d1864e7606df99de9829f3441.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1536
- C:\Users\Admin\AppData\Local\Temp\c6041a556MBXQ.exe
  "C:\Users\Admin\AppData\Local\Temp\c6041a556MBXQ.exe" -yue
  2⤵
  - Executes dropped EXE
  - Deletes itself
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 528
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c6041a556MBXQ.exe

Filesize
172KB

MD5
2e47257ffa14c86cf0cbbd56c34da911

SHA1
b666dc60037a3972beb6d98adb98bb710da32d45

SHA256
a333ef389957288fdcfade548d3db2d155f9d9664bab3fa5b411cf4ea2591728

SHA512
4b9aa56109bee2da8edcc909586bd869be13e33eb4629f34d552f70d9e2b752297374e9ecafe336379e22f90266f9baf9763d6bd94d1ee5ba8cdaabbc3253545

Download Submit
C:\Users\Admin\AppData\Local\Temp\c6041a556MBXQ.exe

Filesize
172KB

MD5
2e47257ffa14c86cf0cbbd56c34da911

SHA1
b666dc60037a3972beb6d98adb98bb710da32d45

SHA256
a333ef389957288fdcfade548d3db2d155f9d9664bab3fa5b411cf4ea2591728

SHA512
4b9aa56109bee2da8edcc909586bd869be13e33eb4629f34d552f70d9e2b752297374e9ecafe336379e22f90266f9baf9763d6bd94d1ee5ba8cdaabbc3253545

Download Submit
\Users\Admin\AppData\Local\Temp\c6041a556MBXQ.exe

Filesize
172KB

MD5
2e47257ffa14c86cf0cbbd56c34da911

SHA1
b666dc60037a3972beb6d98adb98bb710da32d45

SHA256
a333ef389957288fdcfade548d3db2d155f9d9664bab3fa5b411cf4ea2591728

SHA512
4b9aa56109bee2da8edcc909586bd869be13e33eb4629f34d552f70d9e2b752297374e9ecafe336379e22f90266f9baf9763d6bd94d1ee5ba8cdaabbc3253545

Download Submit
\Users\Admin\AppData\Local\Temp\c6041a556MBXQ.exe

Filesize
172KB

MD5
2e47257ffa14c86cf0cbbd56c34da911

SHA1
b666dc60037a3972beb6d98adb98bb710da32d45

SHA256
a333ef389957288fdcfade548d3db2d155f9d9664bab3fa5b411cf4ea2591728

SHA512
4b9aa56109bee2da8edcc909586bd869be13e33eb4629f34d552f70d9e2b752297374e9ecafe336379e22f90266f9baf9763d6bd94d1ee5ba8cdaabbc3253545

Download Submit
\Users\Admin\AppData\Local\Temp\c6041a556MBXQ.exe

Filesize
172KB

MD5
2e47257ffa14c86cf0cbbd56c34da911

SHA1
b666dc60037a3972beb6d98adb98bb710da32d45

SHA256
a333ef389957288fdcfade548d3db2d155f9d9664bab3fa5b411cf4ea2591728

SHA512
4b9aa56109bee2da8edcc909586bd869be13e33eb4629f34d552f70d9e2b752297374e9ecafe336379e22f90266f9baf9763d6bd94d1ee5ba8cdaabbc3253545

Download Submit
\Users\Admin\AppData\Local\Temp\c6041a556MBXQ.exe

Filesize
172KB

MD5
2e47257ffa14c86cf0cbbd56c34da911

SHA1
b666dc60037a3972beb6d98adb98bb710da32d45

SHA256
a333ef389957288fdcfade548d3db2d155f9d9664bab3fa5b411cf4ea2591728

SHA512
4b9aa56109bee2da8edcc909586bd869be13e33eb4629f34d552f70d9e2b752297374e9ecafe336379e22f90266f9baf9763d6bd94d1ee5ba8cdaabbc3253545

Download Submit
\Users\Admin\AppData\Local\Temp\c6041a556MBXQ.exe

Filesize
172KB

MD5
2e47257ffa14c86cf0cbbd56c34da911

SHA1
b666dc60037a3972beb6d98adb98bb710da32d45

SHA256
a333ef389957288fdcfade548d3db2d155f9d9664bab3fa5b411cf4ea2591728

SHA512
4b9aa56109bee2da8edcc909586bd869be13e33eb4629f34d552f70d9e2b752297374e9ecafe336379e22f90266f9baf9763d6bd94d1ee5ba8cdaabbc3253545

Download Submit
\Users\Admin\AppData\Local\Temp\c6041a556MBXQ.exe

Filesize
172KB

MD5
2e47257ffa14c86cf0cbbd56c34da911

SHA1
b666dc60037a3972beb6d98adb98bb710da32d45

SHA256
a333ef389957288fdcfade548d3db2d155f9d9664bab3fa5b411cf4ea2591728

SHA512
4b9aa56109bee2da8edcc909586bd869be13e33eb4629f34d552f70d9e2b752297374e9ecafe336379e22f90266f9baf9763d6bd94d1ee5ba8cdaabbc3253545

Download Submit
\Users\Admin\AppData\Local\Temp\c6041a556MBXQ.exe

Filesize
172KB

MD5
2e47257ffa14c86cf0cbbd56c34da911

SHA1
b666dc60037a3972beb6d98adb98bb710da32d45

SHA256
a333ef389957288fdcfade548d3db2d155f9d9664bab3fa5b411cf4ea2591728

SHA512
4b9aa56109bee2da8edcc909586bd869be13e33eb4629f34d552f70d9e2b752297374e9ecafe336379e22f90266f9baf9763d6bd94d1ee5ba8cdaabbc3253545

Download Submit
\Users\Admin\AppData\Local\Temp\c6041a556MBXQ.exe

Filesize
172KB

MD5
2e47257ffa14c86cf0cbbd56c34da911

SHA1
b666dc60037a3972beb6d98adb98bb710da32d45

SHA256
a333ef389957288fdcfade548d3db2d155f9d9664bab3fa5b411cf4ea2591728

SHA512
4b9aa56109bee2da8edcc909586bd869be13e33eb4629f34d552f70d9e2b752297374e9ecafe336379e22f90266f9baf9763d6bd94d1ee5ba8cdaabbc3253545

Download Submit
\Users\Admin\AppData\Local\Temp\c6041a556MBXQ.exe

Filesize
172KB

MD5
2e47257ffa14c86cf0cbbd56c34da911

SHA1
b666dc60037a3972beb6d98adb98bb710da32d45

SHA256
a333ef389957288fdcfade548d3db2d155f9d9664bab3fa5b411cf4ea2591728

SHA512
4b9aa56109bee2da8edcc909586bd869be13e33eb4629f34d552f70d9e2b752297374e9ecafe336379e22f90266f9baf9763d6bd94d1ee5ba8cdaabbc3253545

Download Submit
memory/1536-54-0x0000000075681000-0x0000000075683000-memory.dmp

Filesize
8KB

Download