e90c54d32e7a267681bef788fefb68a4a6ed2c74718039cd5d5fce43c6f33377

Analysis

max time kernel
36s
max time network
41s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06-12-2022 07:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DHL_INVOICE#-00834.exe
Size

262KB
MD5

c4c96fd02d8673927cf596fc80cd8647
SHA1

8b5c6d26685f5c0373ba95ea3f5c76e19a1548de
SHA256

e90c54d32e7a267681bef788fefb68a4a6ed2c74718039cd5d5fce43c6f33377
SHA512

3f72d7cee8db3e880b33ef483f5e706d2e9308582d60385660a2ae4b37a7e879cd7fa01b1c583e0e7399b51f9887ce384333754282c783d85953ff0edaf17696
SSDEEP

6144:NBn0lN4V4dffxSB8diLsh6JUIbcubtlVzNb:EDXxSBxLshR/ubzVh

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

fbtgbm.exefbtgbm.exe

pid process

1708 fbtgbm.exe
912 fbtgbm.exe
Loads dropped DLL 5 IoCs

Processes:

DHL_INVOICE#-00834.exefbtgbm.exeWerFault.exe

pid process

364 DHL_INVOICE#-00834.exe
1708 fbtgbm.exe
984 WerFault.exe
984 WerFault.exe
984 WerFault.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

fbtgbm.exe

description pid process target process

PID 1708 set thread context of 912 1708 fbtgbm.exe fbtgbm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

984 912 WerFault.exe fbtgbm.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

fbtgbm.exe

pid process

1708 fbtgbm.exe
1708 fbtgbm.exe

pid	process
1708	fbtgbm.exe
912	fbtgbm.exe

pid	process
364	DHL_INVOICE#-00834.exe
1708	fbtgbm.exe
984	WerFault.exe
984	WerFault.exe
984	WerFault.exe

description	pid	process	target process
PID 1708 set thread context of 912	1708	fbtgbm.exe	fbtgbm.exe

pid	pid_target	process	target process
984	912	WerFault.exe	fbtgbm.exe

pid	process
1708	fbtgbm.exe
1708	fbtgbm.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

DHL_INVOICE#-00834.exefbtgbm.exefbtgbm.exe

description	pid	process	target process
PID 364 wrote to memory of 1708	364	DHL_INVOICE#-00834.exe	fbtgbm.exe
PID 364 wrote to memory of 1708	364	DHL_INVOICE#-00834.exe	fbtgbm.exe
PID 364 wrote to memory of 1708	364	DHL_INVOICE#-00834.exe	fbtgbm.exe
PID 364 wrote to memory of 1708	364	DHL_INVOICE#-00834.exe	fbtgbm.exe
PID 1708 wrote to memory of 912	1708	fbtgbm.exe	fbtgbm.exe
PID 1708 wrote to memory of 912	1708	fbtgbm.exe	fbtgbm.exe
PID 1708 wrote to memory of 912	1708	fbtgbm.exe	fbtgbm.exe
PID 1708 wrote to memory of 912	1708	fbtgbm.exe	fbtgbm.exe
PID 1708 wrote to memory of 912	1708	fbtgbm.exe	fbtgbm.exe
PID 912 wrote to memory of 984	912	fbtgbm.exe	WerFault.exe
PID 912 wrote to memory of 984	912	fbtgbm.exe	WerFault.exe
PID 912 wrote to memory of 984	912	fbtgbm.exe	WerFault.exe
PID 912 wrote to memory of 984	912	fbtgbm.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\DHL_INVOICE#-00834.exe
"C:\Users\Admin\AppData\Local\Temp\DHL_INVOICE#-00834.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:364

C:\Users\Admin\AppData\Local\Temp\fbtgbm.exe
"C:\Users\Admin\AppData\Local\Temp\fbtgbm.exe" C:\Users\Admin\AppData\Local\Temp\uynbaziu.t
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1708

C:\Users\Admin\AppData\Local\Temp\fbtgbm.exe
"C:\Users\Admin\AppData\Local\Temp\fbtgbm.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 36
4⤵
- Loads dropped DLL
- Program crash
PID:984

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fbtgbm.exe
Filesize
11KB

MD5
0e50a8c11030a7367c770cd5317015a5

SHA1
1275cd7ecef9059e7959868f551df317db1971f4

SHA256
5b808ae1862b54f2e5e65a924d03d827d3a6b113aeab7a07c8b090961099d33f

SHA512
814f1a949f4ca394fb4bb4e1d28a66e763fbe243e7319c28b618da536108428fa4356cd024e97bca89e684f552cbfc51483a54c4205dc92621ae69976cd934d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\fbtgbm.exe
Filesize
11KB

MD5
0e50a8c11030a7367c770cd5317015a5

SHA1
1275cd7ecef9059e7959868f551df317db1971f4

SHA256
5b808ae1862b54f2e5e65a924d03d827d3a6b113aeab7a07c8b090961099d33f

SHA512
814f1a949f4ca394fb4bb4e1d28a66e763fbe243e7319c28b618da536108428fa4356cd024e97bca89e684f552cbfc51483a54c4205dc92621ae69976cd934d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\fbtgbm.exe
Filesize
11KB

MD5
0e50a8c11030a7367c770cd5317015a5

SHA1
1275cd7ecef9059e7959868f551df317db1971f4

SHA256
5b808ae1862b54f2e5e65a924d03d827d3a6b113aeab7a07c8b090961099d33f

SHA512
814f1a949f4ca394fb4bb4e1d28a66e763fbe243e7319c28b618da536108428fa4356cd024e97bca89e684f552cbfc51483a54c4205dc92621ae69976cd934d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\imzbj.qm
Filesize
185KB

MD5
50ad533858f9a65a0ce926bf0b396619

SHA1
ae88e2d52163e66666ef78f6559db7534dd9dbb6

SHA256
7fdbf2b32a07ce5b22762439f2251725170fe4bef290e07ac566b1a0b4c6cb64

SHA512
3d13a4faa0719e531f7ed00ca841b9bffa360c3fadd3c34697d4b1ab27bdcfce27f79e80e9e5fa5a62baaec70d78040ac1092b3f97bed45ee748638cde8887f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\uynbaziu.t
Filesize
5KB

MD5
fd876a99321992ceaff68b84bbdbbbe0

SHA1
0239567f1a08dd305fe9351783abc9c2ce67c2d8

SHA256
d9faf20ff13fff6619c79af16313646de9d13e9d6686c1ca91c596b50a89dabd

SHA512
6901a2b7eae60cab62688e8028a51c0eea5487825e7bc7cc52a126040df405171609dd45e8fbb8a8a5af5b9d4ba3745a83eda07993339f24968113cd548237cd

Download Submit
\Users\Admin\AppData\Local\Temp\fbtgbm.exe
Filesize
11KB

MD5
0e50a8c11030a7367c770cd5317015a5

SHA1
1275cd7ecef9059e7959868f551df317db1971f4

SHA256
5b808ae1862b54f2e5e65a924d03d827d3a6b113aeab7a07c8b090961099d33f

SHA512
814f1a949f4ca394fb4bb4e1d28a66e763fbe243e7319c28b618da536108428fa4356cd024e97bca89e684f552cbfc51483a54c4205dc92621ae69976cd934d6

Download Submit
\Users\Admin\AppData\Local\Temp\fbtgbm.exe
Filesize
11KB

MD5
0e50a8c11030a7367c770cd5317015a5

SHA1
1275cd7ecef9059e7959868f551df317db1971f4

SHA256
5b808ae1862b54f2e5e65a924d03d827d3a6b113aeab7a07c8b090961099d33f

SHA512
814f1a949f4ca394fb4bb4e1d28a66e763fbe243e7319c28b618da536108428fa4356cd024e97bca89e684f552cbfc51483a54c4205dc92621ae69976cd934d6

Download Submit
\Users\Admin\AppData\Local\Temp\fbtgbm.exe
Filesize
11KB

MD5
0e50a8c11030a7367c770cd5317015a5

SHA1
1275cd7ecef9059e7959868f551df317db1971f4

SHA256
5b808ae1862b54f2e5e65a924d03d827d3a6b113aeab7a07c8b090961099d33f

SHA512
814f1a949f4ca394fb4bb4e1d28a66e763fbe243e7319c28b618da536108428fa4356cd024e97bca89e684f552cbfc51483a54c4205dc92621ae69976cd934d6

Download Submit
\Users\Admin\AppData\Local\Temp\fbtgbm.exe
Filesize
11KB

MD5
0e50a8c11030a7367c770cd5317015a5

SHA1
1275cd7ecef9059e7959868f551df317db1971f4

SHA256
5b808ae1862b54f2e5e65a924d03d827d3a6b113aeab7a07c8b090961099d33f

SHA512
814f1a949f4ca394fb4bb4e1d28a66e763fbe243e7319c28b618da536108428fa4356cd024e97bca89e684f552cbfc51483a54c4205dc92621ae69976cd934d6

Download Submit
\Users\Admin\AppData\Local\Temp\fbtgbm.exe
Filesize
11KB

MD5
0e50a8c11030a7367c770cd5317015a5

SHA1
1275cd7ecef9059e7959868f551df317db1971f4

SHA256
5b808ae1862b54f2e5e65a924d03d827d3a6b113aeab7a07c8b090961099d33f

SHA512
814f1a949f4ca394fb4bb4e1d28a66e763fbe243e7319c28b618da536108428fa4356cd024e97bca89e684f552cbfc51483a54c4205dc92621ae69976cd934d6

Download Submit
memory/364-54-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download
memory/912-63-0x00000000000812B0-mapping.dmp

Download
memory/984-65-0x0000000000000000-mapping.dmp

Download
memory/1708-56-0x0000000000000000-mapping.dmp

Download