d7c3c6eeac20962183eafd8795cfdf4c2a1fb02143b4ca4b8570e03736ebb21f

Analysis

max time kernel
4s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
04-12-2022 07:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7c3c6eeac20962183eafd8795cfdf4c2a1fb02143b4ca4b8570e03736ebb21f.exe
Size

146KB
MD5

a752ace9308f6f7b20c72cfd96f21358
SHA1

847a15885f15d981ab9a8c29aa3f8e73418b2282
SHA256

d7c3c6eeac20962183eafd8795cfdf4c2a1fb02143b4ca4b8570e03736ebb21f
SHA512

b8806cb36780b39d7806eb40bb8914f8070bbf49f9cb302c34fd6bd6a15aebadd84da7065dbfb17536d6c760962e195db3f40d781606940129d0dc55129d75c9
SSDEEP

3072:XmZtLUK5BRyxxfJSihe7Mer29AkHCzkP0lB:XmZtn5OXfLG8A

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
532	ExpressVids.exe

Loads dropped DLL 10 IoCs

pid	Process
1760	d7c3c6eeac20962183eafd8795cfdf4c2a1fb02143b4ca4b8570e03736ebb21f.exe
1760	d7c3c6eeac20962183eafd8795cfdf4c2a1fb02143b4ca4b8570e03736ebb21f.exe
532	ExpressVids.exe
532	ExpressVids.exe
532	ExpressVids.exe
1080	WerFault.exe
1080	WerFault.exe
1080	WerFault.exe
1080	WerFault.exe
1080	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1080	532	WerFault.exe	28

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 532	1760	d7c3c6eeac20962183eafd8795cfdf4c2a1fb02143b4ca4b8570e03736ebb21f.exe	28
PID 1760 wrote to memory of 532	1760	d7c3c6eeac20962183eafd8795cfdf4c2a1fb02143b4ca4b8570e03736ebb21f.exe	28
PID 1760 wrote to memory of 532	1760	d7c3c6eeac20962183eafd8795cfdf4c2a1fb02143b4ca4b8570e03736ebb21f.exe	28
PID 1760 wrote to memory of 532	1760	d7c3c6eeac20962183eafd8795cfdf4c2a1fb02143b4ca4b8570e03736ebb21f.exe	28
PID 1760 wrote to memory of 532	1760	d7c3c6eeac20962183eafd8795cfdf4c2a1fb02143b4ca4b8570e03736ebb21f.exe	28
PID 1760 wrote to memory of 532	1760	d7c3c6eeac20962183eafd8795cfdf4c2a1fb02143b4ca4b8570e03736ebb21f.exe	28
PID 1760 wrote to memory of 532	1760	d7c3c6eeac20962183eafd8795cfdf4c2a1fb02143b4ca4b8570e03736ebb21f.exe	28
PID 532 wrote to memory of 1080	532	ExpressVids.exe	29
PID 532 wrote to memory of 1080	532	ExpressVids.exe	29
PID 532 wrote to memory of 1080	532	ExpressVids.exe	29
PID 532 wrote to memory of 1080	532	ExpressVids.exe	29
PID 532 wrote to memory of 1080	532	ExpressVids.exe	29
PID 532 wrote to memory of 1080	532	ExpressVids.exe	29
PID 532 wrote to memory of 1080	532	ExpressVids.exe	29

C:\Users\Admin\AppData\Local\Temp\d7c3c6eeac20962183eafd8795cfdf4c2a1fb02143b4ca4b8570e03736ebb21f.exe
"C:\Users\Admin\AppData\Local\Temp\d7c3c6eeac20962183eafd8795cfdf4c2a1fb02143b4ca4b8570e03736ebb21f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Users\Admin\AppData\Local\Temp\ExpressVids.exe
  C:\Users\Admin\AppData\Local\Temp\ExpressVids.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:532
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 532 -s 284
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1080

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ExpressVids.exe

Filesize
85KB

MD5
c13ff33c89e93539e868d7dcb2e2c1f6

SHA1
fe66ded2856ab4ffe233fddd8c835eb6ef3755f7

SHA256
c12303594943d73f1c0e02ab6ef34e65a158ffc26b0db23d7664cd541180ef1c

SHA512
15fcff9d68ad47dd2236f0a75fcc4fed1270fe76bc81eaf64298e415c154f7c4eb470361f24edc268ece3d5eeb8dc67c278485265aab50e87d2e253f0871ce63

Download Submit
C:\Users\Admin\AppData\Local\Temp\ExpressVids.exe

Filesize
85KB

MD5
c13ff33c89e93539e868d7dcb2e2c1f6

SHA1
fe66ded2856ab4ffe233fddd8c835eb6ef3755f7

SHA256
c12303594943d73f1c0e02ab6ef34e65a158ffc26b0db23d7664cd541180ef1c

SHA512
15fcff9d68ad47dd2236f0a75fcc4fed1270fe76bc81eaf64298e415c154f7c4eb470361f24edc268ece3d5eeb8dc67c278485265aab50e87d2e253f0871ce63

Download Submit
\Users\Admin\AppData\Local\Temp\ExpressVids.exe

Filesize
85KB

MD5
c13ff33c89e93539e868d7dcb2e2c1f6

SHA1
fe66ded2856ab4ffe233fddd8c835eb6ef3755f7

SHA256
c12303594943d73f1c0e02ab6ef34e65a158ffc26b0db23d7664cd541180ef1c

SHA512
15fcff9d68ad47dd2236f0a75fcc4fed1270fe76bc81eaf64298e415c154f7c4eb470361f24edc268ece3d5eeb8dc67c278485265aab50e87d2e253f0871ce63

Download Submit
\Users\Admin\AppData\Local\Temp\ExpressVids.exe

Filesize
85KB

MD5
c13ff33c89e93539e868d7dcb2e2c1f6

SHA1
fe66ded2856ab4ffe233fddd8c835eb6ef3755f7

SHA256
c12303594943d73f1c0e02ab6ef34e65a158ffc26b0db23d7664cd541180ef1c

SHA512
15fcff9d68ad47dd2236f0a75fcc4fed1270fe76bc81eaf64298e415c154f7c4eb470361f24edc268ece3d5eeb8dc67c278485265aab50e87d2e253f0871ce63

Download Submit
\Users\Admin\AppData\Local\Temp\ExpressVids.exe

Filesize
85KB

MD5
c13ff33c89e93539e868d7dcb2e2c1f6

SHA1
fe66ded2856ab4ffe233fddd8c835eb6ef3755f7

SHA256
c12303594943d73f1c0e02ab6ef34e65a158ffc26b0db23d7664cd541180ef1c

SHA512
15fcff9d68ad47dd2236f0a75fcc4fed1270fe76bc81eaf64298e415c154f7c4eb470361f24edc268ece3d5eeb8dc67c278485265aab50e87d2e253f0871ce63

Download Submit
\Users\Admin\AppData\Local\Temp\ExpressVids.exe

Filesize
85KB

MD5
c13ff33c89e93539e868d7dcb2e2c1f6

SHA1
fe66ded2856ab4ffe233fddd8c835eb6ef3755f7

SHA256
c12303594943d73f1c0e02ab6ef34e65a158ffc26b0db23d7664cd541180ef1c

SHA512
15fcff9d68ad47dd2236f0a75fcc4fed1270fe76bc81eaf64298e415c154f7c4eb470361f24edc268ece3d5eeb8dc67c278485265aab50e87d2e253f0871ce63

Download Submit
\Users\Admin\AppData\Local\Temp\ExpressVids.exe

Filesize
85KB

MD5
c13ff33c89e93539e868d7dcb2e2c1f6

SHA1
fe66ded2856ab4ffe233fddd8c835eb6ef3755f7

SHA256
c12303594943d73f1c0e02ab6ef34e65a158ffc26b0db23d7664cd541180ef1c

SHA512
15fcff9d68ad47dd2236f0a75fcc4fed1270fe76bc81eaf64298e415c154f7c4eb470361f24edc268ece3d5eeb8dc67c278485265aab50e87d2e253f0871ce63

Download Submit
\Users\Admin\AppData\Local\Temp\ExpressVids.exe

Filesize
85KB

MD5
c13ff33c89e93539e868d7dcb2e2c1f6

SHA1
fe66ded2856ab4ffe233fddd8c835eb6ef3755f7

SHA256
c12303594943d73f1c0e02ab6ef34e65a158ffc26b0db23d7664cd541180ef1c

SHA512
15fcff9d68ad47dd2236f0a75fcc4fed1270fe76bc81eaf64298e415c154f7c4eb470361f24edc268ece3d5eeb8dc67c278485265aab50e87d2e253f0871ce63

Download Submit
\Users\Admin\AppData\Local\Temp\ExpressVids.exe

Filesize
85KB

MD5
c13ff33c89e93539e868d7dcb2e2c1f6

SHA1
fe66ded2856ab4ffe233fddd8c835eb6ef3755f7

SHA256
c12303594943d73f1c0e02ab6ef34e65a158ffc26b0db23d7664cd541180ef1c

SHA512
15fcff9d68ad47dd2236f0a75fcc4fed1270fe76bc81eaf64298e415c154f7c4eb470361f24edc268ece3d5eeb8dc67c278485265aab50e87d2e253f0871ce63

Download Submit
\Users\Admin\AppData\Local\Temp\ExpressVids.exe

Filesize
85KB

MD5
c13ff33c89e93539e868d7dcb2e2c1f6

SHA1
fe66ded2856ab4ffe233fddd8c835eb6ef3755f7

SHA256
c12303594943d73f1c0e02ab6ef34e65a158ffc26b0db23d7664cd541180ef1c

SHA512
15fcff9d68ad47dd2236f0a75fcc4fed1270fe76bc81eaf64298e415c154f7c4eb470361f24edc268ece3d5eeb8dc67c278485265aab50e87d2e253f0871ce63

Download Submit
\Users\Admin\AppData\Local\Temp\ExpressVids.exe

Filesize
85KB

MD5
c13ff33c89e93539e868d7dcb2e2c1f6

SHA1
fe66ded2856ab4ffe233fddd8c835eb6ef3755f7

SHA256
c12303594943d73f1c0e02ab6ef34e65a158ffc26b0db23d7664cd541180ef1c

SHA512
15fcff9d68ad47dd2236f0a75fcc4fed1270fe76bc81eaf64298e415c154f7c4eb470361f24edc268ece3d5eeb8dc67c278485265aab50e87d2e253f0871ce63

Download Submit
\Users\Admin\AppData\Local\Temp\ExpressVids.exe

Filesize
85KB

MD5
c13ff33c89e93539e868d7dcb2e2c1f6

SHA1
fe66ded2856ab4ffe233fddd8c835eb6ef3755f7

SHA256
c12303594943d73f1c0e02ab6ef34e65a158ffc26b0db23d7664cd541180ef1c

SHA512
15fcff9d68ad47dd2236f0a75fcc4fed1270fe76bc81eaf64298e415c154f7c4eb470361f24edc268ece3d5eeb8dc67c278485265aab50e87d2e253f0871ce63

Download Submit
memory/532-64-0x0000000000240000-0x0000000000259000-memory.dmp

Filesize
100KB

Download
memory/532-71-0x0000000000240000-0x0000000000259000-memory.dmp

Filesize
100KB

Download
memory/1760-54-0x0000000075531000-0x0000000075533000-memory.dmp

Filesize
8KB

Download