f5153592a277fb24d56703c52bff0503dc30d2ae64072382d773622cabd52efb

Analysis

max time kernel
156s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07/12/2022, 03:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f5153592a277fb24d56703c52bff0503dc30d2ae64072382d773622cabd52efb.exe
Size

124KB
MD5

26817fd338b0fccaedfc316c3646487e
SHA1

1e2bf031d305529e08c44b7f2a6e202d9e7ddf18
SHA256

f5153592a277fb24d56703c52bff0503dc30d2ae64072382d773622cabd52efb
SHA512

3c9a86d220b940cc4b7b8b53f65bedb99b70ab44e6e7ce8c283f1c8486358462b4a75bb6ca9ff68912f89cd6361528fdb79454e7905838660fe792da961a04d0
SSDEEP

3072:qtlS53uSK5BRmhiJb2rLu5CaDMT3q/U7+Lhw:qzS5Y5Chix5XDMcw

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2292	ExpressVids.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4456	2292	WerFault.exe	80
720	2292	WerFault.exe	80

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 2292	2464	f5153592a277fb24d56703c52bff0503dc30d2ae64072382d773622cabd52efb.exe	80
PID 2464 wrote to memory of 2292	2464	f5153592a277fb24d56703c52bff0503dc30d2ae64072382d773622cabd52efb.exe	80
PID 2464 wrote to memory of 2292	2464	f5153592a277fb24d56703c52bff0503dc30d2ae64072382d773622cabd52efb.exe	80
PID 2292 wrote to memory of 720	2292	ExpressVids.exe	86
PID 2292 wrote to memory of 720	2292	ExpressVids.exe	86
PID 2292 wrote to memory of 720	2292	ExpressVids.exe	86

C:\Users\Admin\AppData\Local\Temp\f5153592a277fb24d56703c52bff0503dc30d2ae64072382d773622cabd52efb.exe
"C:\Users\Admin\AppData\Local\Temp\f5153592a277fb24d56703c52bff0503dc30d2ae64072382d773622cabd52efb.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Users\Admin\AppData\Local\Temp\ExpressVids.exe
  C:\Users\Admin\AppData\Local\Temp\ExpressVids.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 320
    3⤵
    - Program crash
    PID:4456
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 320
    3⤵
    - Program crash
    PID:720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2292 -ip 2292
1⤵
PID:3956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ExpressVids.exe

Filesize
75KB

MD5
7316d2bd622b30459ee64ef2e914b0f0

SHA1
0ab8ab57519e5c114e744429e34a758098ae6812

SHA256
fb7950f9c4e8199c2d139205b71b8cb3feec9719bb4faf3459a8d4ca0069b58c

SHA512
bd0c537a38202fa73f4057a82fecf871b6f1026138bf31d3a7acad5d6dc451be4f12eab11862b6cf8fb8791eeb772b0cd72bb6ca34b3d6dc4c8149fa5d706eae

Download Submit
C:\Users\Admin\AppData\Local\Temp\ExpressVids.exe

Filesize
75KB

MD5
7316d2bd622b30459ee64ef2e914b0f0

SHA1
0ab8ab57519e5c114e744429e34a758098ae6812

SHA256
fb7950f9c4e8199c2d139205b71b8cb3feec9719bb4faf3459a8d4ca0069b58c

SHA512
bd0c537a38202fa73f4057a82fecf871b6f1026138bf31d3a7acad5d6dc451be4f12eab11862b6cf8fb8791eeb772b0cd72bb6ca34b3d6dc4c8149fa5d706eae

Download Submit
memory/2292-135-0x00000000004A0000-0x00000000004B7000-memory.dmp

Filesize
92KB

Download
memory/2292-136-0x00000000004A0000-0x00000000004B7000-memory.dmp

Filesize
92KB

Download