065bfe7258ac4eb13d48c8db0da681c32448bbcb96a0e8a80a692a61ba25c18c

Analysis

max time kernel
28s
max time network
31s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
11-01-2023 12:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

065bfe7258ac4eb13d48c8db0da681c32448bbcb96a0e8a80a692a61ba25c18c.exe
Size

229KB
MD5

69c8f26359a2f91a60c66023180491f7
SHA1

6be535b966a2d640a925a42375669f724bfb3ef3
SHA256

065bfe7258ac4eb13d48c8db0da681c32448bbcb96a0e8a80a692a61ba25c18c
SHA512

4f19b7b3c44a8de4c39e8afd9482f6c8afdd981a9b1517e6ee53b5ecaff8f85294bc59117be501366b41d55aa33843cbad5405f9e1417f72fcc7b5ba543c29a6
SSDEEP

6144:MEa0NFHr+NjEJ6WJmDXhdbPPkVUEdojhT8:XJryEJ6WIzhdbUiE7

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

lmyqtnonzg.exelmyqtnonzg.exe

pid process

2000 lmyqtnonzg.exe
1740 lmyqtnonzg.exe
Loads dropped DLL 5 IoCs

Processes:

065bfe7258ac4eb13d48c8db0da681c32448bbcb96a0e8a80a692a61ba25c18c.exelmyqtnonzg.exeWerFault.exe

pid process

1108 065bfe7258ac4eb13d48c8db0da681c32448bbcb96a0e8a80a692a61ba25c18c.exe
2000 lmyqtnonzg.exe
956 WerFault.exe
956 WerFault.exe
956 WerFault.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

lmyqtnonzg.exe

description pid process target process

PID 2000 set thread context of 1740 2000 lmyqtnonzg.exe lmyqtnonzg.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

956 1740 WerFault.exe lmyqtnonzg.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

lmyqtnonzg.exe

pid process

2000 lmyqtnonzg.exe
2000 lmyqtnonzg.exe

pid	process
2000	lmyqtnonzg.exe
1740	lmyqtnonzg.exe

pid	process
1108	065bfe7258ac4eb13d48c8db0da681c32448bbcb96a0e8a80a692a61ba25c18c.exe
2000	lmyqtnonzg.exe
956	WerFault.exe
956	WerFault.exe
956	WerFault.exe

description	pid	process	target process
PID 2000 set thread context of 1740	2000	lmyqtnonzg.exe	lmyqtnonzg.exe

pid	pid_target	process	target process
956	1740	WerFault.exe	lmyqtnonzg.exe

pid	process
2000	lmyqtnonzg.exe
2000	lmyqtnonzg.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

065bfe7258ac4eb13d48c8db0da681c32448bbcb96a0e8a80a692a61ba25c18c.exelmyqtnonzg.exelmyqtnonzg.exe

description	pid	process	target process
PID 1108 wrote to memory of 2000	1108	065bfe7258ac4eb13d48c8db0da681c32448bbcb96a0e8a80a692a61ba25c18c.exe	lmyqtnonzg.exe
PID 1108 wrote to memory of 2000	1108	065bfe7258ac4eb13d48c8db0da681c32448bbcb96a0e8a80a692a61ba25c18c.exe	lmyqtnonzg.exe
PID 1108 wrote to memory of 2000	1108	065bfe7258ac4eb13d48c8db0da681c32448bbcb96a0e8a80a692a61ba25c18c.exe	lmyqtnonzg.exe
PID 1108 wrote to memory of 2000	1108	065bfe7258ac4eb13d48c8db0da681c32448bbcb96a0e8a80a692a61ba25c18c.exe	lmyqtnonzg.exe
PID 2000 wrote to memory of 1740	2000	lmyqtnonzg.exe	lmyqtnonzg.exe
PID 2000 wrote to memory of 1740	2000	lmyqtnonzg.exe	lmyqtnonzg.exe
PID 2000 wrote to memory of 1740	2000	lmyqtnonzg.exe	lmyqtnonzg.exe
PID 2000 wrote to memory of 1740	2000	lmyqtnonzg.exe	lmyqtnonzg.exe
PID 2000 wrote to memory of 1740	2000	lmyqtnonzg.exe	lmyqtnonzg.exe
PID 1740 wrote to memory of 956	1740	lmyqtnonzg.exe	WerFault.exe
PID 1740 wrote to memory of 956	1740	lmyqtnonzg.exe	WerFault.exe
PID 1740 wrote to memory of 956	1740	lmyqtnonzg.exe	WerFault.exe
PID 1740 wrote to memory of 956	1740	lmyqtnonzg.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\065bfe7258ac4eb13d48c8db0da681c32448bbcb96a0e8a80a692a61ba25c18c.exe
"C:\Users\Admin\AppData\Local\Temp\065bfe7258ac4eb13d48c8db0da681c32448bbcb96a0e8a80a692a61ba25c18c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1108

C:\Users\Admin\AppData\Local\Temp\lmyqtnonzg.exe
"C:\Users\Admin\AppData\Local\Temp\lmyqtnonzg.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2000

C:\Users\Admin\AppData\Local\Temp\lmyqtnonzg.exe
"C:\Users\Admin\AppData\Local\Temp\lmyqtnonzg.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 36
4⤵
- Loads dropped DLL
- Program crash
PID:956

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lmyqtnonzg.exe
Filesize
13KB

MD5
6528140fd784ee2a196d5fd7d6b96622

SHA1
fb91fe68823c7ef598f920af978f0226d5e9a54d

SHA256
c85465defc810f0651b63b808c84b535b8859ac1638e96945f4f9ee92b73844d

SHA512
257c4bff97368eeeb97712cd33d213aea9658b6094693cecca46d76ccdd3780354694b11eea5b343e4b8093a7418b6a9f4bfd332bf7b99668477b55b5a2d814d

Download Submit
C:\Users\Admin\AppData\Local\Temp\lmyqtnonzg.exe
Filesize
13KB

MD5
6528140fd784ee2a196d5fd7d6b96622

SHA1
fb91fe68823c7ef598f920af978f0226d5e9a54d

SHA256
c85465defc810f0651b63b808c84b535b8859ac1638e96945f4f9ee92b73844d

SHA512
257c4bff97368eeeb97712cd33d213aea9658b6094693cecca46d76ccdd3780354694b11eea5b343e4b8093a7418b6a9f4bfd332bf7b99668477b55b5a2d814d

Download Submit
C:\Users\Admin\AppData\Local\Temp\lmyqtnonzg.exe
Filesize
13KB

MD5
6528140fd784ee2a196d5fd7d6b96622

SHA1
fb91fe68823c7ef598f920af978f0226d5e9a54d

SHA256
c85465defc810f0651b63b808c84b535b8859ac1638e96945f4f9ee92b73844d

SHA512
257c4bff97368eeeb97712cd33d213aea9658b6094693cecca46d76ccdd3780354694b11eea5b343e4b8093a7418b6a9f4bfd332bf7b99668477b55b5a2d814d

Download Submit
C:\Users\Admin\AppData\Local\Temp\plcqridn.iql
Filesize
5KB

MD5
8b2dd74b24049fa0644ae195073e22a7

SHA1
efcb154a283a48c8a118869fc5ec6aa902ec2a6b

SHA256
cf2642d8ad3cebbd586b1faa83912f9dfb70078dc2ba6914b4c6dc1f68470fe6

SHA512
de8fba3a5d1a568a1b30e57f2e14d3b7a8b1337f6d739c1cd1cf8fec84fe1ffcb4e8521d41189694e241847a475b560bd34b05080d44ce04308d2c8a2ef6dbad

Download Submit
C:\Users\Admin\AppData\Local\Temp\rrybrlscnms.j
Filesize
185KB

MD5
da4adaa57769f1ba84485bc4f68358c9

SHA1
cd92822d9b7f91beeaf7d64e5ed836ebf93ed3c5

SHA256
56e12bbefcc6c07d425ade3bfe13d866db19cb11c7efc251f0f9a00fd11a7168

SHA512
e5a79088faca19ca58b5b5c0843bbdf8b51f2ca077cd7c6f186af0635e3165b15bf9ac7536077158283516becbb92d8a1f20d683fa997f8a4ac6fc2dddcf1af1

Download Submit
\Users\Admin\AppData\Local\Temp\lmyqtnonzg.exe
Filesize
13KB

MD5
6528140fd784ee2a196d5fd7d6b96622

SHA1
fb91fe68823c7ef598f920af978f0226d5e9a54d

SHA256
c85465defc810f0651b63b808c84b535b8859ac1638e96945f4f9ee92b73844d

SHA512
257c4bff97368eeeb97712cd33d213aea9658b6094693cecca46d76ccdd3780354694b11eea5b343e4b8093a7418b6a9f4bfd332bf7b99668477b55b5a2d814d

Download Submit
\Users\Admin\AppData\Local\Temp\lmyqtnonzg.exe
Filesize
13KB

MD5
6528140fd784ee2a196d5fd7d6b96622

SHA1
fb91fe68823c7ef598f920af978f0226d5e9a54d

SHA256
c85465defc810f0651b63b808c84b535b8859ac1638e96945f4f9ee92b73844d

SHA512
257c4bff97368eeeb97712cd33d213aea9658b6094693cecca46d76ccdd3780354694b11eea5b343e4b8093a7418b6a9f4bfd332bf7b99668477b55b5a2d814d

Download Submit
\Users\Admin\AppData\Local\Temp\lmyqtnonzg.exe
Filesize
13KB

MD5
6528140fd784ee2a196d5fd7d6b96622

SHA1
fb91fe68823c7ef598f920af978f0226d5e9a54d

SHA256
c85465defc810f0651b63b808c84b535b8859ac1638e96945f4f9ee92b73844d

SHA512
257c4bff97368eeeb97712cd33d213aea9658b6094693cecca46d76ccdd3780354694b11eea5b343e4b8093a7418b6a9f4bfd332bf7b99668477b55b5a2d814d

Download Submit
\Users\Admin\AppData\Local\Temp\lmyqtnonzg.exe
Filesize
13KB

MD5
6528140fd784ee2a196d5fd7d6b96622

SHA1
fb91fe68823c7ef598f920af978f0226d5e9a54d

SHA256
c85465defc810f0651b63b808c84b535b8859ac1638e96945f4f9ee92b73844d

SHA512
257c4bff97368eeeb97712cd33d213aea9658b6094693cecca46d76ccdd3780354694b11eea5b343e4b8093a7418b6a9f4bfd332bf7b99668477b55b5a2d814d

Download Submit
\Users\Admin\AppData\Local\Temp\lmyqtnonzg.exe
Filesize
13KB

MD5
6528140fd784ee2a196d5fd7d6b96622

SHA1
fb91fe68823c7ef598f920af978f0226d5e9a54d

SHA256
c85465defc810f0651b63b808c84b535b8859ac1638e96945f4f9ee92b73844d

SHA512
257c4bff97368eeeb97712cd33d213aea9658b6094693cecca46d76ccdd3780354694b11eea5b343e4b8093a7418b6a9f4bfd332bf7b99668477b55b5a2d814d

Download Submit
memory/956-64-0x0000000000000000-mapping.dmp

Download
memory/1108-54-0x00000000767F1000-0x00000000767F3000-memory.dmp

Filesize
8KB

Download
memory/1740-62-0x00000000000812B0-mapping.dmp

Download
memory/2000-56-0x0000000000000000-mapping.dmp

Download