c71e8cd3e58eaeab5de7d296fa62fd6fcad415facc687629d71b25bab56550eb

Analysis

max time kernel
4s
max time network
31s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
06-12-2022 14:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd0e4cab67b7fd76ef5d6bdcb7f25a21.exe
Size

342KB
MD5

cd0e4cab67b7fd76ef5d6bdcb7f25a21
SHA1

a27ade3067d85e7ed462266b503caed5ef89d3dc
SHA256

c71e8cd3e58eaeab5de7d296fa62fd6fcad415facc687629d71b25bab56550eb
SHA512

c3ae7c68e14ddd2064c926d419ca88531d0344868792b81f8daab42c63aa28a096781fbb0cf38fd367cbf64d94ef073c17d17cef762b5e99bb110ebe00345195
SSDEEP

6144:ZBnbr9ZL8bW6Bg1GzljLDEkYiDifeaOcpTlSxbJ3bzGUAR6ZTu:HfL8bQalnDlRexQxNSlR7

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

jrjvptrkw.exejrjvptrkw.exe

pid process

1252 jrjvptrkw.exe
2028 jrjvptrkw.exe
Loads dropped DLL 5 IoCs

Processes:

cd0e4cab67b7fd76ef5d6bdcb7f25a21.exejrjvptrkw.exeWerFault.exe

pid process

1808 cd0e4cab67b7fd76ef5d6bdcb7f25a21.exe
1252 jrjvptrkw.exe
1484 WerFault.exe
1484 WerFault.exe
1484 WerFault.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

jrjvptrkw.exe

description pid process target process

PID 1252 set thread context of 2028 1252 jrjvptrkw.exe jrjvptrkw.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1484 2028 WerFault.exe jrjvptrkw.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

jrjvptrkw.exe

pid process

1252 jrjvptrkw.exe
1252 jrjvptrkw.exe

pid	process
1252	jrjvptrkw.exe
2028	jrjvptrkw.exe

pid	process
1808	cd0e4cab67b7fd76ef5d6bdcb7f25a21.exe
1252	jrjvptrkw.exe
1484	WerFault.exe
1484	WerFault.exe
1484	WerFault.exe

description	pid	process	target process
PID 1252 set thread context of 2028	1252	jrjvptrkw.exe	jrjvptrkw.exe

pid	pid_target	process	target process
1484	2028	WerFault.exe	jrjvptrkw.exe

pid	process
1252	jrjvptrkw.exe
1252	jrjvptrkw.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

cd0e4cab67b7fd76ef5d6bdcb7f25a21.exejrjvptrkw.exejrjvptrkw.exe

description	pid	process	target process
PID 1808 wrote to memory of 1252	1808	cd0e4cab67b7fd76ef5d6bdcb7f25a21.exe	jrjvptrkw.exe
PID 1808 wrote to memory of 1252	1808	cd0e4cab67b7fd76ef5d6bdcb7f25a21.exe	jrjvptrkw.exe
PID 1808 wrote to memory of 1252	1808	cd0e4cab67b7fd76ef5d6bdcb7f25a21.exe	jrjvptrkw.exe
PID 1808 wrote to memory of 1252	1808	cd0e4cab67b7fd76ef5d6bdcb7f25a21.exe	jrjvptrkw.exe
PID 1252 wrote to memory of 2028	1252	jrjvptrkw.exe	jrjvptrkw.exe
PID 1252 wrote to memory of 2028	1252	jrjvptrkw.exe	jrjvptrkw.exe
PID 1252 wrote to memory of 2028	1252	jrjvptrkw.exe	jrjvptrkw.exe
PID 1252 wrote to memory of 2028	1252	jrjvptrkw.exe	jrjvptrkw.exe
PID 1252 wrote to memory of 2028	1252	jrjvptrkw.exe	jrjvptrkw.exe
PID 2028 wrote to memory of 1484	2028	jrjvptrkw.exe	WerFault.exe
PID 2028 wrote to memory of 1484	2028	jrjvptrkw.exe	WerFault.exe
PID 2028 wrote to memory of 1484	2028	jrjvptrkw.exe	WerFault.exe
PID 2028 wrote to memory of 1484	2028	jrjvptrkw.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\cd0e4cab67b7fd76ef5d6bdcb7f25a21.exe
"C:\Users\Admin\AppData\Local\Temp\cd0e4cab67b7fd76ef5d6bdcb7f25a21.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1808

C:\Users\Admin\AppData\Local\Temp\jrjvptrkw.exe
"C:\Users\Admin\AppData\Local\Temp\jrjvptrkw.exe" C:\Users\Admin\AppData\Local\Temp\aomgdquqwa.bts
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1252

C:\Users\Admin\AppData\Local\Temp\jrjvptrkw.exe
"C:\Users\Admin\AppData\Local\Temp\jrjvptrkw.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 36
4⤵
- Loads dropped DLL
- Program crash
PID:1484

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aomgdquqwa.bts
Filesize
5KB

MD5
70ac455f88e10ec69807e8d27c5b98a7

SHA1
57dbd9bc79b94886f79354ca2025232a5d0076fb

SHA256
157b2b1dcb46cfbd5f8ebbcc64bae4fdd45fb9f6843549d5efa39ff294156e68

SHA512
4e732530fa2d008d57f86a2f62010d04a67764c230e9f966cf30bdbef2064b0dfc05a983d7919af7db03c690584dd8115ea7dd4b3e34f28cd49cf318dc13b8e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\jrjvptrkw.exe
Filesize
12KB

MD5
fd0ddc905a5457c8fdd921103f410846

SHA1
20517958c1cba91084f5011cccf3ece8fdc9a237

SHA256
07b65ff3ea050e07441aae8967be4843a74797d004f3aa0b700f5faa59caccec

SHA512
2c246fdd4852c364c87ee846682da0b05c419d327456f3ba5e8d00e45f7ac185f00507589219671b82bba4af32369100df577962d0e20f839cfeb8197c7c8c49

Download Submit
C:\Users\Admin\AppData\Local\Temp\jrjvptrkw.exe
Filesize
12KB

MD5
fd0ddc905a5457c8fdd921103f410846

SHA1
20517958c1cba91084f5011cccf3ece8fdc9a237

SHA256
07b65ff3ea050e07441aae8967be4843a74797d004f3aa0b700f5faa59caccec

SHA512
2c246fdd4852c364c87ee846682da0b05c419d327456f3ba5e8d00e45f7ac185f00507589219671b82bba4af32369100df577962d0e20f839cfeb8197c7c8c49

Download Submit
C:\Users\Admin\AppData\Local\Temp\jrjvptrkw.exe
Filesize
12KB

MD5
fd0ddc905a5457c8fdd921103f410846

SHA1
20517958c1cba91084f5011cccf3ece8fdc9a237

SHA256
07b65ff3ea050e07441aae8967be4843a74797d004f3aa0b700f5faa59caccec

SHA512
2c246fdd4852c364c87ee846682da0b05c419d327456f3ba5e8d00e45f7ac185f00507589219671b82bba4af32369100df577962d0e20f839cfeb8197c7c8c49

Download Submit
C:\Users\Admin\AppData\Local\Temp\pgcugroogqm.cg
Filesize
185KB

MD5
e90088efd1be37bc124d82ce812bd327

SHA1
633c82a7f3334b6c48a23e96b9ff6116c7cdce27

SHA256
09b39f471b88b40e2c29f61d06005b27b799a6d274f0f74262d46d11f9a36d8d

SHA512
f93f6119cd5b8c04426b917f6cf6d2f16797970ea4ae00ed0e8014862651ce25a23a5ee60b36aacd37dd7691b3d3bd63c1bdd3a4b0b243456524aff40b7240a4

Download Submit
\Users\Admin\AppData\Local\Temp\jrjvptrkw.exe
Filesize
12KB

MD5
fd0ddc905a5457c8fdd921103f410846

SHA1
20517958c1cba91084f5011cccf3ece8fdc9a237

SHA256
07b65ff3ea050e07441aae8967be4843a74797d004f3aa0b700f5faa59caccec

SHA512
2c246fdd4852c364c87ee846682da0b05c419d327456f3ba5e8d00e45f7ac185f00507589219671b82bba4af32369100df577962d0e20f839cfeb8197c7c8c49

Download Submit
\Users\Admin\AppData\Local\Temp\jrjvptrkw.exe
Filesize
12KB

MD5
fd0ddc905a5457c8fdd921103f410846

SHA1
20517958c1cba91084f5011cccf3ece8fdc9a237

SHA256
07b65ff3ea050e07441aae8967be4843a74797d004f3aa0b700f5faa59caccec

SHA512
2c246fdd4852c364c87ee846682da0b05c419d327456f3ba5e8d00e45f7ac185f00507589219671b82bba4af32369100df577962d0e20f839cfeb8197c7c8c49

Download Submit
\Users\Admin\AppData\Local\Temp\jrjvptrkw.exe
Filesize
12KB

MD5
fd0ddc905a5457c8fdd921103f410846

SHA1
20517958c1cba91084f5011cccf3ece8fdc9a237

SHA256
07b65ff3ea050e07441aae8967be4843a74797d004f3aa0b700f5faa59caccec

SHA512
2c246fdd4852c364c87ee846682da0b05c419d327456f3ba5e8d00e45f7ac185f00507589219671b82bba4af32369100df577962d0e20f839cfeb8197c7c8c49

Download Submit
\Users\Admin\AppData\Local\Temp\jrjvptrkw.exe
Filesize
12KB

MD5
fd0ddc905a5457c8fdd921103f410846

SHA1
20517958c1cba91084f5011cccf3ece8fdc9a237

SHA256
07b65ff3ea050e07441aae8967be4843a74797d004f3aa0b700f5faa59caccec

SHA512
2c246fdd4852c364c87ee846682da0b05c419d327456f3ba5e8d00e45f7ac185f00507589219671b82bba4af32369100df577962d0e20f839cfeb8197c7c8c49

Download Submit
\Users\Admin\AppData\Local\Temp\jrjvptrkw.exe
Filesize
12KB

MD5
fd0ddc905a5457c8fdd921103f410846

SHA1
20517958c1cba91084f5011cccf3ece8fdc9a237

SHA256
07b65ff3ea050e07441aae8967be4843a74797d004f3aa0b700f5faa59caccec

SHA512
2c246fdd4852c364c87ee846682da0b05c419d327456f3ba5e8d00e45f7ac185f00507589219671b82bba4af32369100df577962d0e20f839cfeb8197c7c8c49

Download Submit
memory/1252-56-0x0000000000000000-mapping.dmp

Download
memory/1484-64-0x0000000000000000-mapping.dmp

Download
memory/1808-54-0x0000000075991000-0x0000000075993000-memory.dmp

Filesize
8KB

Download
memory/2028-62-0x00000000000812B0-mapping.dmp

Download