a0dc8e5c0e1e8ec293af98b8836eeb3dff0922814029ac1bdd27cda97c737026

Analysis

max time kernel
37s
max time network
49s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 18:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0dc8e5c0e1e8ec293af98b8836eeb3dff0922814029ac1bdd27cda97c737026.exe
Size

48KB
MD5

96eacc87380a7cb2e3df5a420c5b8af9
SHA1

4a4637319c8a5cefbf527af566e4bdb833febf54
SHA256

a0dc8e5c0e1e8ec293af98b8836eeb3dff0922814029ac1bdd27cda97c737026
SHA512

42169cc6f917661bb6dee200d6539843a0775fff0f25345d3c3ac6f7c4205faffabdef3e799d3d32eec899dfe2ace2b712ca352488174561eba88ab8b5c64e54
SSDEEP

384:a2x8rf5S11vYW4TCWIqOM+7bDaWgQWE4Rja:a08D5/HIqOM+rabQL4Rj

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 5 IoCs

pid	Process
1152	WerFault.exe
1152	WerFault.exe
1152	WerFault.exe
1152	WerFault.exe
1152	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1152	1664	WerFault.exe	17

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1664	a0dc8e5c0e1e8ec293af98b8836eeb3dff0922814029ac1bdd27cda97c737026.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1664	a0dc8e5c0e1e8ec293af98b8836eeb3dff0922814029ac1bdd27cda97c737026.exe
Token: SeSystemtimePrivilege	1664	a0dc8e5c0e1e8ec293af98b8836eeb3dff0922814029ac1bdd27cda97c737026.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 1940	1664	a0dc8e5c0e1e8ec293af98b8836eeb3dff0922814029ac1bdd27cda97c737026.exe	28
PID 1664 wrote to memory of 1940	1664	a0dc8e5c0e1e8ec293af98b8836eeb3dff0922814029ac1bdd27cda97c737026.exe	28
PID 1664 wrote to memory of 1940	1664	a0dc8e5c0e1e8ec293af98b8836eeb3dff0922814029ac1bdd27cda97c737026.exe	28
PID 1664 wrote to memory of 1940	1664	a0dc8e5c0e1e8ec293af98b8836eeb3dff0922814029ac1bdd27cda97c737026.exe	28
PID 1664 wrote to memory of 1460	1664	a0dc8e5c0e1e8ec293af98b8836eeb3dff0922814029ac1bdd27cda97c737026.exe	30
PID 1664 wrote to memory of 1460	1664	a0dc8e5c0e1e8ec293af98b8836eeb3dff0922814029ac1bdd27cda97c737026.exe	30
PID 1664 wrote to memory of 1460	1664	a0dc8e5c0e1e8ec293af98b8836eeb3dff0922814029ac1bdd27cda97c737026.exe	30
PID 1664 wrote to memory of 1460	1664	a0dc8e5c0e1e8ec293af98b8836eeb3dff0922814029ac1bdd27cda97c737026.exe	30
PID 1664 wrote to memory of 1376	1664	a0dc8e5c0e1e8ec293af98b8836eeb3dff0922814029ac1bdd27cda97c737026.exe	32
PID 1664 wrote to memory of 1376	1664	a0dc8e5c0e1e8ec293af98b8836eeb3dff0922814029ac1bdd27cda97c737026.exe	32
PID 1664 wrote to memory of 1376	1664	a0dc8e5c0e1e8ec293af98b8836eeb3dff0922814029ac1bdd27cda97c737026.exe	32
PID 1664 wrote to memory of 1376	1664	a0dc8e5c0e1e8ec293af98b8836eeb3dff0922814029ac1bdd27cda97c737026.exe	32
PID 1664 wrote to memory of 1744	1664	a0dc8e5c0e1e8ec293af98b8836eeb3dff0922814029ac1bdd27cda97c737026.exe	34
PID 1664 wrote to memory of 1744	1664	a0dc8e5c0e1e8ec293af98b8836eeb3dff0922814029ac1bdd27cda97c737026.exe	34
PID 1664 wrote to memory of 1744	1664	a0dc8e5c0e1e8ec293af98b8836eeb3dff0922814029ac1bdd27cda97c737026.exe	34
PID 1664 wrote to memory of 1744	1664	a0dc8e5c0e1e8ec293af98b8836eeb3dff0922814029ac1bdd27cda97c737026.exe	34
PID 1664 wrote to memory of 980	1664	a0dc8e5c0e1e8ec293af98b8836eeb3dff0922814029ac1bdd27cda97c737026.exe	36
PID 1664 wrote to memory of 980	1664	a0dc8e5c0e1e8ec293af98b8836eeb3dff0922814029ac1bdd27cda97c737026.exe	36
PID 1664 wrote to memory of 980	1664	a0dc8e5c0e1e8ec293af98b8836eeb3dff0922814029ac1bdd27cda97c737026.exe	36
PID 1664 wrote to memory of 980	1664	a0dc8e5c0e1e8ec293af98b8836eeb3dff0922814029ac1bdd27cda97c737026.exe	36
PID 1664 wrote to memory of 636	1664	a0dc8e5c0e1e8ec293af98b8836eeb3dff0922814029ac1bdd27cda97c737026.exe	38
PID 1664 wrote to memory of 636	1664	a0dc8e5c0e1e8ec293af98b8836eeb3dff0922814029ac1bdd27cda97c737026.exe	38
PID 1664 wrote to memory of 636	1664	a0dc8e5c0e1e8ec293af98b8836eeb3dff0922814029ac1bdd27cda97c737026.exe	38
PID 1664 wrote to memory of 636	1664	a0dc8e5c0e1e8ec293af98b8836eeb3dff0922814029ac1bdd27cda97c737026.exe	38
PID 1664 wrote to memory of 1428	1664	a0dc8e5c0e1e8ec293af98b8836eeb3dff0922814029ac1bdd27cda97c737026.exe	40
PID 1664 wrote to memory of 1428	1664	a0dc8e5c0e1e8ec293af98b8836eeb3dff0922814029ac1bdd27cda97c737026.exe	40
PID 1664 wrote to memory of 1428	1664	a0dc8e5c0e1e8ec293af98b8836eeb3dff0922814029ac1bdd27cda97c737026.exe	40
PID 1664 wrote to memory of 1428	1664	a0dc8e5c0e1e8ec293af98b8836eeb3dff0922814029ac1bdd27cda97c737026.exe	40
PID 1664 wrote to memory of 2044	1664	a0dc8e5c0e1e8ec293af98b8836eeb3dff0922814029ac1bdd27cda97c737026.exe	42
PID 1664 wrote to memory of 2044	1664	a0dc8e5c0e1e8ec293af98b8836eeb3dff0922814029ac1bdd27cda97c737026.exe	42
PID 1664 wrote to memory of 2044	1664	a0dc8e5c0e1e8ec293af98b8836eeb3dff0922814029ac1bdd27cda97c737026.exe	42
PID 1664 wrote to memory of 2044	1664	a0dc8e5c0e1e8ec293af98b8836eeb3dff0922814029ac1bdd27cda97c737026.exe	42
PID 1664 wrote to memory of 1152	1664	a0dc8e5c0e1e8ec293af98b8836eeb3dff0922814029ac1bdd27cda97c737026.exe	44
PID 1664 wrote to memory of 1152	1664	a0dc8e5c0e1e8ec293af98b8836eeb3dff0922814029ac1bdd27cda97c737026.exe	44
PID 1664 wrote to memory of 1152	1664	a0dc8e5c0e1e8ec293af98b8836eeb3dff0922814029ac1bdd27cda97c737026.exe	44
PID 1664 wrote to memory of 1152	1664	a0dc8e5c0e1e8ec293af98b8836eeb3dff0922814029ac1bdd27cda97c737026.exe	44

C:\Users\Admin\AppData\Local\Temp\a0dc8e5c0e1e8ec293af98b8836eeb3dff0922814029ac1bdd27cda97c737026.exe
"C:\Users\Admin\AppData\Local\Temp\a0dc8e5c0e1e8ec293af98b8836eeb3dff0922814029ac1bdd27cda97c737026.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" c:\windows\system32\packet.dll /e /p everyone:f
  2⤵
  PID:1940
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" c:\windows\system32\pthreadVC.dll /e /p everyone:f
  2⤵
  PID:1460
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" c:\windows\system32\wpcap.dll /e /p everyone:f
  2⤵
  PID:1376
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" c:\windows\system32\drivers\npf.sys /e /p everyone:f
  2⤵
  PID:1744
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" c:\windows\system32\npptools.dll /e /p everyone:f
  2⤵
  PID:980
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" c:\windows\system32\drivers\acpidisk.sys /e /p everyone:f
  2⤵
  PID:636
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" c:\windows\system32\wanpacket.dll /e /p everyone:f
  2⤵
  PID:1428
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" c:\Documents and Settings\All Users\¡¸¿ªÊ¼¡¹²Ëµ¥\³ÌÐò\Æô¶¯ /e /p everyone:f
  2⤵
  PID:2044
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 348
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:1152

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\a0dc8e5c0e1e8ec293af98b8836eeb3dff0922814029ac1bdd27cda97c737026.exe

Filesize
48KB

MD5
96eacc87380a7cb2e3df5a420c5b8af9

SHA1
4a4637319c8a5cefbf527af566e4bdb833febf54

SHA256
a0dc8e5c0e1e8ec293af98b8836eeb3dff0922814029ac1bdd27cda97c737026

SHA512
42169cc6f917661bb6dee200d6539843a0775fff0f25345d3c3ac6f7c4205faffabdef3e799d3d32eec899dfe2ace2b712ca352488174561eba88ab8b5c64e54

Download Submit
\Users\Admin\AppData\Local\Temp\a0dc8e5c0e1e8ec293af98b8836eeb3dff0922814029ac1bdd27cda97c737026.exe

Filesize
48KB

MD5
96eacc87380a7cb2e3df5a420c5b8af9

SHA1
4a4637319c8a5cefbf527af566e4bdb833febf54

SHA256
a0dc8e5c0e1e8ec293af98b8836eeb3dff0922814029ac1bdd27cda97c737026

SHA512
42169cc6f917661bb6dee200d6539843a0775fff0f25345d3c3ac6f7c4205faffabdef3e799d3d32eec899dfe2ace2b712ca352488174561eba88ab8b5c64e54

Download Submit
\Users\Admin\AppData\Local\Temp\a0dc8e5c0e1e8ec293af98b8836eeb3dff0922814029ac1bdd27cda97c737026.exe

Filesize
48KB

MD5
96eacc87380a7cb2e3df5a420c5b8af9

SHA1
4a4637319c8a5cefbf527af566e4bdb833febf54

SHA256
a0dc8e5c0e1e8ec293af98b8836eeb3dff0922814029ac1bdd27cda97c737026

SHA512
42169cc6f917661bb6dee200d6539843a0775fff0f25345d3c3ac6f7c4205faffabdef3e799d3d32eec899dfe2ace2b712ca352488174561eba88ab8b5c64e54

Download Submit
\Users\Admin\AppData\Local\Temp\a0dc8e5c0e1e8ec293af98b8836eeb3dff0922814029ac1bdd27cda97c737026.exe

Filesize
48KB

MD5
96eacc87380a7cb2e3df5a420c5b8af9

SHA1
4a4637319c8a5cefbf527af566e4bdb833febf54

SHA256
a0dc8e5c0e1e8ec293af98b8836eeb3dff0922814029ac1bdd27cda97c737026

SHA512
42169cc6f917661bb6dee200d6539843a0775fff0f25345d3c3ac6f7c4205faffabdef3e799d3d32eec899dfe2ace2b712ca352488174561eba88ab8b5c64e54

Download Submit
\Users\Admin\AppData\Local\Temp\a0dc8e5c0e1e8ec293af98b8836eeb3dff0922814029ac1bdd27cda97c737026.exe

Filesize
48KB

MD5
96eacc87380a7cb2e3df5a420c5b8af9

SHA1
4a4637319c8a5cefbf527af566e4bdb833febf54

SHA256
a0dc8e5c0e1e8ec293af98b8836eeb3dff0922814029ac1bdd27cda97c737026

SHA512
42169cc6f917661bb6dee200d6539843a0775fff0f25345d3c3ac6f7c4205faffabdef3e799d3d32eec899dfe2ace2b712ca352488174561eba88ab8b5c64e54

Download Submit
memory/1664-54-0x0000000076181000-0x0000000076183000-memory.dmp

Filesize
8KB

Download
memory/1664-56-0x0000000013140000-0x000000001314C000-memory.dmp

Filesize
48KB

Download