0e11246d31399e037d4e8c0b168419b09084d3b815f069c8b6a2947900f48d4e

Analysis

max time kernel
55s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04-12-2022 02:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e11246d31399e037d4e8c0b168419b09084d3b815f069c8b6a2947900f48d4e.exe
Size

1.3MB
MD5

2ad2fbe4509e650c839ea7bc1f6fdd14
SHA1

e654cd67c50a97267b2bf2eec66f643a28e60d68
SHA256

0e11246d31399e037d4e8c0b168419b09084d3b815f069c8b6a2947900f48d4e
SHA512

6ff772151351d244fe4d054e17f9fcde4f6899aedfe7f80ee1994e21db87dba2c53abfb12bcf878414745c689b2a5180ea0a972d816a348bbf1c67b0e0baca4e
SSDEEP

12288:KqOPajQUXXP8QvLWFx6Mo5rippDC7ee1hpls4Ey+XQgAQ0hKJieRHL3:KnajQEPnvg6PhWDC750XgKJ3r3

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1668	0e11246d31399e037d4e8c0b168419b09084d3b815f069c8b6a2947900f48d4emgr.exe
1936	0e11246d31399e037d4e8c0b168419b09084d3b815f069c8b6a2947900f48d4emgrmgr.exe

Loads dropped DLL 18 IoCs

pid	Process
1980	0e11246d31399e037d4e8c0b168419b09084d3b815f069c8b6a2947900f48d4e.exe
1980	0e11246d31399e037d4e8c0b168419b09084d3b815f069c8b6a2947900f48d4e.exe
1668	0e11246d31399e037d4e8c0b168419b09084d3b815f069c8b6a2947900f48d4emgr.exe
1668	0e11246d31399e037d4e8c0b168419b09084d3b815f069c8b6a2947900f48d4emgr.exe
1636	WerFault.exe
1636	WerFault.exe
1636	WerFault.exe
1636	WerFault.exe
1636	WerFault.exe
1636	WerFault.exe
1652	WerFault.exe
1652	WerFault.exe
1652	WerFault.exe
1652	WerFault.exe
1652	WerFault.exe
1652	WerFault.exe
1652	WerFault.exe
1636	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1652	1668	WerFault.exe	28
1636	1936	WerFault.exe	29

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1980	0e11246d31399e037d4e8c0b168419b09084d3b815f069c8b6a2947900f48d4e.exe
1980	0e11246d31399e037d4e8c0b168419b09084d3b815f069c8b6a2947900f48d4e.exe
1980	0e11246d31399e037d4e8c0b168419b09084d3b815f069c8b6a2947900f48d4e.exe
1980	0e11246d31399e037d4e8c0b168419b09084d3b815f069c8b6a2947900f48d4e.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 1668	1980	0e11246d31399e037d4e8c0b168419b09084d3b815f069c8b6a2947900f48d4e.exe	28
PID 1980 wrote to memory of 1668	1980	0e11246d31399e037d4e8c0b168419b09084d3b815f069c8b6a2947900f48d4e.exe	28
PID 1980 wrote to memory of 1668	1980	0e11246d31399e037d4e8c0b168419b09084d3b815f069c8b6a2947900f48d4e.exe	28
PID 1980 wrote to memory of 1668	1980	0e11246d31399e037d4e8c0b168419b09084d3b815f069c8b6a2947900f48d4e.exe	28
PID 1668 wrote to memory of 1936	1668	0e11246d31399e037d4e8c0b168419b09084d3b815f069c8b6a2947900f48d4emgr.exe	29
PID 1668 wrote to memory of 1936	1668	0e11246d31399e037d4e8c0b168419b09084d3b815f069c8b6a2947900f48d4emgr.exe	29
PID 1668 wrote to memory of 1936	1668	0e11246d31399e037d4e8c0b168419b09084d3b815f069c8b6a2947900f48d4emgr.exe	29
PID 1668 wrote to memory of 1936	1668	0e11246d31399e037d4e8c0b168419b09084d3b815f069c8b6a2947900f48d4emgr.exe	29
PID 1936 wrote to memory of 1636	1936	0e11246d31399e037d4e8c0b168419b09084d3b815f069c8b6a2947900f48d4emgrmgr.exe	31
PID 1936 wrote to memory of 1636	1936	0e11246d31399e037d4e8c0b168419b09084d3b815f069c8b6a2947900f48d4emgrmgr.exe	31
PID 1936 wrote to memory of 1636	1936	0e11246d31399e037d4e8c0b168419b09084d3b815f069c8b6a2947900f48d4emgrmgr.exe	31
PID 1936 wrote to memory of 1636	1936	0e11246d31399e037d4e8c0b168419b09084d3b815f069c8b6a2947900f48d4emgrmgr.exe	31
PID 1668 wrote to memory of 1652	1668	0e11246d31399e037d4e8c0b168419b09084d3b815f069c8b6a2947900f48d4emgr.exe	30
PID 1668 wrote to memory of 1652	1668	0e11246d31399e037d4e8c0b168419b09084d3b815f069c8b6a2947900f48d4emgr.exe	30
PID 1668 wrote to memory of 1652	1668	0e11246d31399e037d4e8c0b168419b09084d3b815f069c8b6a2947900f48d4emgr.exe	30
PID 1668 wrote to memory of 1652	1668	0e11246d31399e037d4e8c0b168419b09084d3b815f069c8b6a2947900f48d4emgr.exe	30

C:\Users\Admin\AppData\Local\Temp\0e11246d31399e037d4e8c0b168419b09084d3b815f069c8b6a2947900f48d4e.exe
"C:\Users\Admin\AppData\Local\Temp\0e11246d31399e037d4e8c0b168419b09084d3b815f069c8b6a2947900f48d4e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Users\Admin\AppData\Local\Temp\0e11246d31399e037d4e8c0b168419b09084d3b815f069c8b6a2947900f48d4emgr.exe
  C:\Users\Admin\AppData\Local\Temp\0e11246d31399e037d4e8c0b168419b09084d3b815f069c8b6a2947900f48d4emgr.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Users\Admin\AppData\Local\Temp\0e11246d31399e037d4e8c0b168419b09084d3b815f069c8b6a2947900f48d4emgrmgr.exe
    C:\Users\Admin\AppData\Local\Temp\0e11246d31399e037d4e8c0b168419b09084d3b815f069c8b6a2947900f48d4emgrmgr.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1936
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 100
      4⤵
      Loads dropped DLL
      Program crash
      PID:1636
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 100
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0e11246d31399e037d4e8c0b168419b09084d3b815f069c8b6a2947900f48d4emgr.exe

Filesize
186KB

MD5
c9a80e0152f8800a9104b1c41798052d

SHA1
efbdbc43669758e3fec21034ab8f0732bf3d9305

SHA256
3d2231a54e603fdee4e303362dbd620faaed1114cd1d53a69cc4b60577260aa9

SHA512
730c129608c7d558a121594a3a60381d787ea940145300e7317873fc3eb7d1af1f56047c5d6d7f5754dd573bfd70fb75e60d2c9b1727837d3f1a40b128a05f73

Download Submit
C:\Users\Admin\AppData\Local\Temp\0e11246d31399e037d4e8c0b168419b09084d3b815f069c8b6a2947900f48d4emgrmgr.exe

Filesize
92KB

MD5
87a19429b56f78cc468cda78eee027fa

SHA1
0a8fe8b6d49de7e06e8e4572f37f99a8e7f743c5

SHA256
5e82ee2fa73afdf8b7f54a3c6ea8853f09f3d1cb4a0ab76fa05306d417c09a50

SHA512
02568501e46edc8de1716ac165f1ac88e34b125eb9559e7a0792328b6bb43cf5f4aa2bf8b78263bf429eb220ad804713188de7f7ab95d436d4638a60b23f4976

Download Submit
\Users\Admin\AppData\Local\Temp\0e11246d31399e037d4e8c0b168419b09084d3b815f069c8b6a2947900f48d4emgr.exe

Filesize
186KB

MD5
c9a80e0152f8800a9104b1c41798052d

SHA1
efbdbc43669758e3fec21034ab8f0732bf3d9305

SHA256
3d2231a54e603fdee4e303362dbd620faaed1114cd1d53a69cc4b60577260aa9

SHA512
730c129608c7d558a121594a3a60381d787ea940145300e7317873fc3eb7d1af1f56047c5d6d7f5754dd573bfd70fb75e60d2c9b1727837d3f1a40b128a05f73

Download Submit
\Users\Admin\AppData\Local\Temp\0e11246d31399e037d4e8c0b168419b09084d3b815f069c8b6a2947900f48d4emgr.exe

Filesize
186KB

MD5
c9a80e0152f8800a9104b1c41798052d

SHA1
efbdbc43669758e3fec21034ab8f0732bf3d9305

SHA256
3d2231a54e603fdee4e303362dbd620faaed1114cd1d53a69cc4b60577260aa9

SHA512
730c129608c7d558a121594a3a60381d787ea940145300e7317873fc3eb7d1af1f56047c5d6d7f5754dd573bfd70fb75e60d2c9b1727837d3f1a40b128a05f73

Download Submit
\Users\Admin\AppData\Local\Temp\0e11246d31399e037d4e8c0b168419b09084d3b815f069c8b6a2947900f48d4emgr.exe

Filesize
186KB

MD5
c9a80e0152f8800a9104b1c41798052d

SHA1
efbdbc43669758e3fec21034ab8f0732bf3d9305

SHA256
3d2231a54e603fdee4e303362dbd620faaed1114cd1d53a69cc4b60577260aa9

SHA512
730c129608c7d558a121594a3a60381d787ea940145300e7317873fc3eb7d1af1f56047c5d6d7f5754dd573bfd70fb75e60d2c9b1727837d3f1a40b128a05f73

Download Submit
\Users\Admin\AppData\Local\Temp\0e11246d31399e037d4e8c0b168419b09084d3b815f069c8b6a2947900f48d4emgr.exe

Filesize
186KB

MD5
c9a80e0152f8800a9104b1c41798052d

SHA1
efbdbc43669758e3fec21034ab8f0732bf3d9305

SHA256
3d2231a54e603fdee4e303362dbd620faaed1114cd1d53a69cc4b60577260aa9

SHA512
730c129608c7d558a121594a3a60381d787ea940145300e7317873fc3eb7d1af1f56047c5d6d7f5754dd573bfd70fb75e60d2c9b1727837d3f1a40b128a05f73

Download Submit
\Users\Admin\AppData\Local\Temp\0e11246d31399e037d4e8c0b168419b09084d3b815f069c8b6a2947900f48d4emgr.exe

Filesize
186KB

MD5
c9a80e0152f8800a9104b1c41798052d

SHA1
efbdbc43669758e3fec21034ab8f0732bf3d9305

SHA256
3d2231a54e603fdee4e303362dbd620faaed1114cd1d53a69cc4b60577260aa9

SHA512
730c129608c7d558a121594a3a60381d787ea940145300e7317873fc3eb7d1af1f56047c5d6d7f5754dd573bfd70fb75e60d2c9b1727837d3f1a40b128a05f73

Download Submit
\Users\Admin\AppData\Local\Temp\0e11246d31399e037d4e8c0b168419b09084d3b815f069c8b6a2947900f48d4emgr.exe

Filesize
186KB

MD5
c9a80e0152f8800a9104b1c41798052d

SHA1
efbdbc43669758e3fec21034ab8f0732bf3d9305

SHA256
3d2231a54e603fdee4e303362dbd620faaed1114cd1d53a69cc4b60577260aa9

SHA512
730c129608c7d558a121594a3a60381d787ea940145300e7317873fc3eb7d1af1f56047c5d6d7f5754dd573bfd70fb75e60d2c9b1727837d3f1a40b128a05f73

Download Submit
\Users\Admin\AppData\Local\Temp\0e11246d31399e037d4e8c0b168419b09084d3b815f069c8b6a2947900f48d4emgr.exe

Filesize
186KB

MD5
c9a80e0152f8800a9104b1c41798052d

SHA1
efbdbc43669758e3fec21034ab8f0732bf3d9305

SHA256
3d2231a54e603fdee4e303362dbd620faaed1114cd1d53a69cc4b60577260aa9

SHA512
730c129608c7d558a121594a3a60381d787ea940145300e7317873fc3eb7d1af1f56047c5d6d7f5754dd573bfd70fb75e60d2c9b1727837d3f1a40b128a05f73

Download Submit
\Users\Admin\AppData\Local\Temp\0e11246d31399e037d4e8c0b168419b09084d3b815f069c8b6a2947900f48d4emgr.exe

Filesize
186KB

MD5
c9a80e0152f8800a9104b1c41798052d

SHA1
efbdbc43669758e3fec21034ab8f0732bf3d9305

SHA256
3d2231a54e603fdee4e303362dbd620faaed1114cd1d53a69cc4b60577260aa9

SHA512
730c129608c7d558a121594a3a60381d787ea940145300e7317873fc3eb7d1af1f56047c5d6d7f5754dd573bfd70fb75e60d2c9b1727837d3f1a40b128a05f73

Download Submit
\Users\Admin\AppData\Local\Temp\0e11246d31399e037d4e8c0b168419b09084d3b815f069c8b6a2947900f48d4emgr.exe

Filesize
186KB

MD5
c9a80e0152f8800a9104b1c41798052d

SHA1
efbdbc43669758e3fec21034ab8f0732bf3d9305

SHA256
3d2231a54e603fdee4e303362dbd620faaed1114cd1d53a69cc4b60577260aa9

SHA512
730c129608c7d558a121594a3a60381d787ea940145300e7317873fc3eb7d1af1f56047c5d6d7f5754dd573bfd70fb75e60d2c9b1727837d3f1a40b128a05f73

Download Submit
\Users\Admin\AppData\Local\Temp\0e11246d31399e037d4e8c0b168419b09084d3b815f069c8b6a2947900f48d4emgrmgr.exe

Filesize
92KB

MD5
87a19429b56f78cc468cda78eee027fa

SHA1
0a8fe8b6d49de7e06e8e4572f37f99a8e7f743c5

SHA256
5e82ee2fa73afdf8b7f54a3c6ea8853f09f3d1cb4a0ab76fa05306d417c09a50

SHA512
02568501e46edc8de1716ac165f1ac88e34b125eb9559e7a0792328b6bb43cf5f4aa2bf8b78263bf429eb220ad804713188de7f7ab95d436d4638a60b23f4976

Download Submit
\Users\Admin\AppData\Local\Temp\0e11246d31399e037d4e8c0b168419b09084d3b815f069c8b6a2947900f48d4emgrmgr.exe

Filesize
92KB

MD5
87a19429b56f78cc468cda78eee027fa

SHA1
0a8fe8b6d49de7e06e8e4572f37f99a8e7f743c5

SHA256
5e82ee2fa73afdf8b7f54a3c6ea8853f09f3d1cb4a0ab76fa05306d417c09a50

SHA512
02568501e46edc8de1716ac165f1ac88e34b125eb9559e7a0792328b6bb43cf5f4aa2bf8b78263bf429eb220ad804713188de7f7ab95d436d4638a60b23f4976

Download Submit
\Users\Admin\AppData\Local\Temp\0e11246d31399e037d4e8c0b168419b09084d3b815f069c8b6a2947900f48d4emgrmgr.exe

Filesize
92KB

MD5
87a19429b56f78cc468cda78eee027fa

SHA1
0a8fe8b6d49de7e06e8e4572f37f99a8e7f743c5

SHA256
5e82ee2fa73afdf8b7f54a3c6ea8853f09f3d1cb4a0ab76fa05306d417c09a50

SHA512
02568501e46edc8de1716ac165f1ac88e34b125eb9559e7a0792328b6bb43cf5f4aa2bf8b78263bf429eb220ad804713188de7f7ab95d436d4638a60b23f4976

Download Submit
\Users\Admin\AppData\Local\Temp\0e11246d31399e037d4e8c0b168419b09084d3b815f069c8b6a2947900f48d4emgrmgr.exe

Filesize
92KB

MD5
87a19429b56f78cc468cda78eee027fa

SHA1
0a8fe8b6d49de7e06e8e4572f37f99a8e7f743c5

SHA256
5e82ee2fa73afdf8b7f54a3c6ea8853f09f3d1cb4a0ab76fa05306d417c09a50

SHA512
02568501e46edc8de1716ac165f1ac88e34b125eb9559e7a0792328b6bb43cf5f4aa2bf8b78263bf429eb220ad804713188de7f7ab95d436d4638a60b23f4976

Download Submit
\Users\Admin\AppData\Local\Temp\0e11246d31399e037d4e8c0b168419b09084d3b815f069c8b6a2947900f48d4emgrmgr.exe

Filesize
92KB

MD5
87a19429b56f78cc468cda78eee027fa

SHA1
0a8fe8b6d49de7e06e8e4572f37f99a8e7f743c5

SHA256
5e82ee2fa73afdf8b7f54a3c6ea8853f09f3d1cb4a0ab76fa05306d417c09a50

SHA512
02568501e46edc8de1716ac165f1ac88e34b125eb9559e7a0792328b6bb43cf5f4aa2bf8b78263bf429eb220ad804713188de7f7ab95d436d4638a60b23f4976

Download Submit
\Users\Admin\AppData\Local\Temp\0e11246d31399e037d4e8c0b168419b09084d3b815f069c8b6a2947900f48d4emgrmgr.exe

Filesize
92KB

MD5
87a19429b56f78cc468cda78eee027fa

SHA1
0a8fe8b6d49de7e06e8e4572f37f99a8e7f743c5

SHA256
5e82ee2fa73afdf8b7f54a3c6ea8853f09f3d1cb4a0ab76fa05306d417c09a50

SHA512
02568501e46edc8de1716ac165f1ac88e34b125eb9559e7a0792328b6bb43cf5f4aa2bf8b78263bf429eb220ad804713188de7f7ab95d436d4638a60b23f4976

Download Submit
\Users\Admin\AppData\Local\Temp\0e11246d31399e037d4e8c0b168419b09084d3b815f069c8b6a2947900f48d4emgrmgr.exe

Filesize
92KB

MD5
87a19429b56f78cc468cda78eee027fa

SHA1
0a8fe8b6d49de7e06e8e4572f37f99a8e7f743c5

SHA256
5e82ee2fa73afdf8b7f54a3c6ea8853f09f3d1cb4a0ab76fa05306d417c09a50

SHA512
02568501e46edc8de1716ac165f1ac88e34b125eb9559e7a0792328b6bb43cf5f4aa2bf8b78263bf429eb220ad804713188de7f7ab95d436d4638a60b23f4976

Download Submit
\Users\Admin\AppData\Local\Temp\0e11246d31399e037d4e8c0b168419b09084d3b815f069c8b6a2947900f48d4emgrmgr.exe

Filesize
92KB

MD5
87a19429b56f78cc468cda78eee027fa

SHA1
0a8fe8b6d49de7e06e8e4572f37f99a8e7f743c5

SHA256
5e82ee2fa73afdf8b7f54a3c6ea8853f09f3d1cb4a0ab76fa05306d417c09a50

SHA512
02568501e46edc8de1716ac165f1ac88e34b125eb9559e7a0792328b6bb43cf5f4aa2bf8b78263bf429eb220ad804713188de7f7ab95d436d4638a60b23f4976

Download Submit
\Users\Admin\AppData\Local\Temp\0e11246d31399e037d4e8c0b168419b09084d3b815f069c8b6a2947900f48d4emgrmgr.exe

Filesize
92KB

MD5
87a19429b56f78cc468cda78eee027fa

SHA1
0a8fe8b6d49de7e06e8e4572f37f99a8e7f743c5

SHA256
5e82ee2fa73afdf8b7f54a3c6ea8853f09f3d1cb4a0ab76fa05306d417c09a50

SHA512
02568501e46edc8de1716ac165f1ac88e34b125eb9559e7a0792328b6bb43cf5f4aa2bf8b78263bf429eb220ad804713188de7f7ab95d436d4638a60b23f4976

Download Submit
memory/1668-85-0x0000000002270000-0x000000000231F000-memory.dmp

Filesize
700KB

Download
memory/1668-82-0x0000000002270000-0x000000000231F000-memory.dmp

Filesize
700KB

Download
memory/1668-81-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/1668-83-0x0000000002270000-0x000000000231F000-memory.dmp

Filesize
700KB

Download
memory/1936-84-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/1980-79-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/1980-80-0x0000000001E30000-0x0000000001EF7000-memory.dmp

Filesize
796KB

Download
memory/1980-54-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download