25d4c0553804fbcb055f1465780cfd4b920fb2d9e9eaaac87f7c1d0cd8e9f584

Analysis

max time kernel
44s
max time network
53s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
06-12-2022 12:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.FileRepMalware.20755.26920.exe
Size

224KB
MD5

f1f6b87aa6a7bb1c6a2beda153fc607b
SHA1

2964b06681eefb74a586b17756428d6c0cc08bdd
SHA256

25d4c0553804fbcb055f1465780cfd4b920fb2d9e9eaaac87f7c1d0cd8e9f584
SHA512

694c35b6c161358628c0f6ec0d3233fd7b2ade2cade6547f9cfd447e46c52dd0226d95f35da0a8c57f58bf5ace49d20c49cac36ad2d327f6c90cff755ea819cb
SSDEEP

6144:QBn185+KUnqBjp5S+xXVkWo3zAc/Enof7PdS5EYEdB:gaAyjp5SCVvo3zgof7P8+YEdB

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

hfjdiwwb.exehfjdiwwb.exe

pid process

1088 hfjdiwwb.exe
1988 hfjdiwwb.exe
Loads dropped DLL 5 IoCs

Processes:

SecuriteInfo.com.FileRepMalware.20755.26920.exehfjdiwwb.exeWerFault.exe

pid process

1344 SecuriteInfo.com.FileRepMalware.20755.26920.exe
1088 hfjdiwwb.exe
552 WerFault.exe
552 WerFault.exe
552 WerFault.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

hfjdiwwb.exe

description pid process target process

PID 1088 set thread context of 1988 1088 hfjdiwwb.exe hfjdiwwb.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

552 1988 WerFault.exe hfjdiwwb.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

hfjdiwwb.exe

pid process

1088 hfjdiwwb.exe
1088 hfjdiwwb.exe

pid	process
1088	hfjdiwwb.exe
1988	hfjdiwwb.exe

pid	process
1344	SecuriteInfo.com.FileRepMalware.20755.26920.exe
1088	hfjdiwwb.exe
552	WerFault.exe
552	WerFault.exe
552	WerFault.exe

description	pid	process	target process
PID 1088 set thread context of 1988	1088	hfjdiwwb.exe	hfjdiwwb.exe

pid	pid_target	process	target process
552	1988	WerFault.exe	hfjdiwwb.exe

pid	process
1088	hfjdiwwb.exe
1088	hfjdiwwb.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

SecuriteInfo.com.FileRepMalware.20755.26920.exehfjdiwwb.exehfjdiwwb.exe

description	pid	process	target process
PID 1344 wrote to memory of 1088	1344	SecuriteInfo.com.FileRepMalware.20755.26920.exe	hfjdiwwb.exe
PID 1344 wrote to memory of 1088	1344	SecuriteInfo.com.FileRepMalware.20755.26920.exe	hfjdiwwb.exe
PID 1344 wrote to memory of 1088	1344	SecuriteInfo.com.FileRepMalware.20755.26920.exe	hfjdiwwb.exe
PID 1344 wrote to memory of 1088	1344	SecuriteInfo.com.FileRepMalware.20755.26920.exe	hfjdiwwb.exe
PID 1088 wrote to memory of 1988	1088	hfjdiwwb.exe	hfjdiwwb.exe
PID 1088 wrote to memory of 1988	1088	hfjdiwwb.exe	hfjdiwwb.exe
PID 1088 wrote to memory of 1988	1088	hfjdiwwb.exe	hfjdiwwb.exe
PID 1088 wrote to memory of 1988	1088	hfjdiwwb.exe	hfjdiwwb.exe
PID 1088 wrote to memory of 1988	1088	hfjdiwwb.exe	hfjdiwwb.exe
PID 1988 wrote to memory of 552	1988	hfjdiwwb.exe	WerFault.exe
PID 1988 wrote to memory of 552	1988	hfjdiwwb.exe	WerFault.exe
PID 1988 wrote to memory of 552	1988	hfjdiwwb.exe	WerFault.exe
PID 1988 wrote to memory of 552	1988	hfjdiwwb.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.20755.26920.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.20755.26920.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1344

C:\Users\Admin\AppData\Local\Temp\hfjdiwwb.exe
"C:\Users\Admin\AppData\Local\Temp\hfjdiwwb.exe" C:\Users\Admin\AppData\Local\Temp\zeesmnkse.s
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1088

C:\Users\Admin\AppData\Local\Temp\hfjdiwwb.exe
"C:\Users\Admin\AppData\Local\Temp\hfjdiwwb.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 36
4⤵
- Loads dropped DLL
- Program crash
PID:552

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dvgmwmmyefz.bwe
Filesize
185KB

MD5
1c945c8ec5c2f5197948aea61cab057e

SHA1
79b9dbb2849f170c7b1de78a3c8e3818b5c8a11d

SHA256
27d5be39ba9e5aeba868a04ea4c251c3719242f656fbce09050c20b81f6ac751

SHA512
757d8028bb9397c11aebb3b7c8c8a4dc15aa9b7a03288a8c2e94e3369716c118605ba3ac42aca85901b7dd42f78454fa566a7b0f0c5570c524b4582a73f97794

Download Submit
C:\Users\Admin\AppData\Local\Temp\hfjdiwwb.exe
Filesize
12KB

MD5
dee9967bfc964052c9343e69b90b7c31

SHA1
c12da34124e0f9b84685874d0970cbd55dd3ebe4

SHA256
2ae4094d6147d706ff4b626ca5c9129cf3121f334e8d4740097cb929ebfda6bc

SHA512
3787af0c4c9be0d47f282c8fe6d2d3fbffd014956695245225bff2951924630d2e9c5524f95fc7a4c972988cbb17f852c5d63b8969acac8d4f84318645bb5636

Download Submit
C:\Users\Admin\AppData\Local\Temp\hfjdiwwb.exe
Filesize
12KB

MD5
dee9967bfc964052c9343e69b90b7c31

SHA1
c12da34124e0f9b84685874d0970cbd55dd3ebe4

SHA256
2ae4094d6147d706ff4b626ca5c9129cf3121f334e8d4740097cb929ebfda6bc

SHA512
3787af0c4c9be0d47f282c8fe6d2d3fbffd014956695245225bff2951924630d2e9c5524f95fc7a4c972988cbb17f852c5d63b8969acac8d4f84318645bb5636

Download Submit
C:\Users\Admin\AppData\Local\Temp\hfjdiwwb.exe
Filesize
12KB

MD5
dee9967bfc964052c9343e69b90b7c31

SHA1
c12da34124e0f9b84685874d0970cbd55dd3ebe4

SHA256
2ae4094d6147d706ff4b626ca5c9129cf3121f334e8d4740097cb929ebfda6bc

SHA512
3787af0c4c9be0d47f282c8fe6d2d3fbffd014956695245225bff2951924630d2e9c5524f95fc7a4c972988cbb17f852c5d63b8969acac8d4f84318645bb5636

Download Submit
C:\Users\Admin\AppData\Local\Temp\zeesmnkse.s
Filesize
5KB

MD5
4230431061fb7d5522a0bf04013fe531

SHA1
dbc2021a068247d14e65c19518fe28c42f8d9665

SHA256
26e048d856f00c449c2720f0aab7302af8212abbdfae6f7b6bfbf94469104269

SHA512
bb1dab8b2d706c780e1286dcb75ce43c0708449ef4f47c6af87001d9a39bd5deeef874ccd45115a4ab56f34bbbe56464c5a170bd43a63fa3c6a9188f0eb6d78a

Download Submit
\Users\Admin\AppData\Local\Temp\hfjdiwwb.exe
Filesize
12KB

MD5
dee9967bfc964052c9343e69b90b7c31

SHA1
c12da34124e0f9b84685874d0970cbd55dd3ebe4

SHA256
2ae4094d6147d706ff4b626ca5c9129cf3121f334e8d4740097cb929ebfda6bc

SHA512
3787af0c4c9be0d47f282c8fe6d2d3fbffd014956695245225bff2951924630d2e9c5524f95fc7a4c972988cbb17f852c5d63b8969acac8d4f84318645bb5636

Download Submit
\Users\Admin\AppData\Local\Temp\hfjdiwwb.exe
Filesize
12KB

MD5
dee9967bfc964052c9343e69b90b7c31

SHA1
c12da34124e0f9b84685874d0970cbd55dd3ebe4

SHA256
2ae4094d6147d706ff4b626ca5c9129cf3121f334e8d4740097cb929ebfda6bc

SHA512
3787af0c4c9be0d47f282c8fe6d2d3fbffd014956695245225bff2951924630d2e9c5524f95fc7a4c972988cbb17f852c5d63b8969acac8d4f84318645bb5636

Download Submit
\Users\Admin\AppData\Local\Temp\hfjdiwwb.exe
Filesize
12KB

MD5
dee9967bfc964052c9343e69b90b7c31

SHA1
c12da34124e0f9b84685874d0970cbd55dd3ebe4

SHA256
2ae4094d6147d706ff4b626ca5c9129cf3121f334e8d4740097cb929ebfda6bc

SHA512
3787af0c4c9be0d47f282c8fe6d2d3fbffd014956695245225bff2951924630d2e9c5524f95fc7a4c972988cbb17f852c5d63b8969acac8d4f84318645bb5636

Download Submit
\Users\Admin\AppData\Local\Temp\hfjdiwwb.exe
Filesize
12KB

MD5
dee9967bfc964052c9343e69b90b7c31

SHA1
c12da34124e0f9b84685874d0970cbd55dd3ebe4

SHA256
2ae4094d6147d706ff4b626ca5c9129cf3121f334e8d4740097cb929ebfda6bc

SHA512
3787af0c4c9be0d47f282c8fe6d2d3fbffd014956695245225bff2951924630d2e9c5524f95fc7a4c972988cbb17f852c5d63b8969acac8d4f84318645bb5636

Download Submit
\Users\Admin\AppData\Local\Temp\hfjdiwwb.exe
Filesize
12KB

MD5
dee9967bfc964052c9343e69b90b7c31

SHA1
c12da34124e0f9b84685874d0970cbd55dd3ebe4

SHA256
2ae4094d6147d706ff4b626ca5c9129cf3121f334e8d4740097cb929ebfda6bc

SHA512
3787af0c4c9be0d47f282c8fe6d2d3fbffd014956695245225bff2951924630d2e9c5524f95fc7a4c972988cbb17f852c5d63b8969acac8d4f84318645bb5636

Download Submit
memory/552-64-0x0000000000000000-mapping.dmp

Download
memory/1088-56-0x0000000000000000-mapping.dmp

Download
memory/1344-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download
memory/1988-62-0x00000000000812B0-mapping.dmp

Download