Analysis
-
max time kernel
141s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
02-03-2023 08:13
Behavioral task
behavioral1
Sample
77a8f55f8d23e0d7f0b816e2433f4c8cd0f6f8bd5b954f8a4b0b5b6ed560b3e4.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
77a8f55f8d23e0d7f0b816e2433f4c8cd0f6f8bd5b954f8a4b0b5b6ed560b3e4.exe
Resource
win10v2004-20230220-en
General
-
Target
77a8f55f8d23e0d7f0b816e2433f4c8cd0f6f8bd5b954f8a4b0b5b6ed560b3e4.exe
-
Size
1.4MB
-
MD5
c9bac05e33c3be03dee25a062ac40a55
-
SHA1
8e23195dc420793092eb17201810e8a522065c52
-
SHA256
77a8f55f8d23e0d7f0b816e2433f4c8cd0f6f8bd5b954f8a4b0b5b6ed560b3e4
-
SHA512
388c5ba9530e5216cdf3639555389fbfa4f0ee8def369d29d876351c95d852bed28b8e9fe52cab4a8df90efc3a73edc128b84db53dd1a7aec4469594cf35fc12
-
SSDEEP
24576:gqLLdb+QD1dK+a5rprVe/tfA+zTQipSgMnTJm0ImIQXk1RkEHDDfZ+hXVg60BlU+:HLdb9D1dKHU17HpSlTJ9ImIck7VHXfZp
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1804 1084 WerFault.exe 77a8f55f8d23e0d7f0b816e2433f4c8cd0f6f8bd5b954f8a4b0b5b6ed560b3e4.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
77a8f55f8d23e0d7f0b816e2433f4c8cd0f6f8bd5b954f8a4b0b5b6ed560b3e4.exepid process 1084 77a8f55f8d23e0d7f0b816e2433f4c8cd0f6f8bd5b954f8a4b0b5b6ed560b3e4.exe 1084 77a8f55f8d23e0d7f0b816e2433f4c8cd0f6f8bd5b954f8a4b0b5b6ed560b3e4.exe 1084 77a8f55f8d23e0d7f0b816e2433f4c8cd0f6f8bd5b954f8a4b0b5b6ed560b3e4.exe 1084 77a8f55f8d23e0d7f0b816e2433f4c8cd0f6f8bd5b954f8a4b0b5b6ed560b3e4.exe 1084 77a8f55f8d23e0d7f0b816e2433f4c8cd0f6f8bd5b954f8a4b0b5b6ed560b3e4.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
77a8f55f8d23e0d7f0b816e2433f4c8cd0f6f8bd5b954f8a4b0b5b6ed560b3e4.execmd.exedescription pid process target process PID 1084 wrote to memory of 1860 1084 77a8f55f8d23e0d7f0b816e2433f4c8cd0f6f8bd5b954f8a4b0b5b6ed560b3e4.exe cmd.exe PID 1084 wrote to memory of 1860 1084 77a8f55f8d23e0d7f0b816e2433f4c8cd0f6f8bd5b954f8a4b0b5b6ed560b3e4.exe cmd.exe PID 1084 wrote to memory of 1860 1084 77a8f55f8d23e0d7f0b816e2433f4c8cd0f6f8bd5b954f8a4b0b5b6ed560b3e4.exe cmd.exe PID 1084 wrote to memory of 1860 1084 77a8f55f8d23e0d7f0b816e2433f4c8cd0f6f8bd5b954f8a4b0b5b6ed560b3e4.exe cmd.exe PID 1860 wrote to memory of 1760 1860 cmd.exe netsh.exe PID 1860 wrote to memory of 1760 1860 cmd.exe netsh.exe PID 1860 wrote to memory of 1760 1860 cmd.exe netsh.exe PID 1860 wrote to memory of 1760 1860 cmd.exe netsh.exe PID 1084 wrote to memory of 1804 1084 77a8f55f8d23e0d7f0b816e2433f4c8cd0f6f8bd5b954f8a4b0b5b6ed560b3e4.exe WerFault.exe PID 1084 wrote to memory of 1804 1084 77a8f55f8d23e0d7f0b816e2433f4c8cd0f6f8bd5b954f8a4b0b5b6ed560b3e4.exe WerFault.exe PID 1084 wrote to memory of 1804 1084 77a8f55f8d23e0d7f0b816e2433f4c8cd0f6f8bd5b954f8a4b0b5b6ed560b3e4.exe WerFault.exe PID 1084 wrote to memory of 1804 1084 77a8f55f8d23e0d7f0b816e2433f4c8cd0f6f8bd5b954f8a4b0b5b6ed560b3e4.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\77a8f55f8d23e0d7f0b816e2433f4c8cd0f6f8bd5b954f8a4b0b5b6ed560b3e4.exe"C:\Users\Admin\AppData\Local\Temp\77a8f55f8d23e0d7f0b816e2433f4c8cd0f6f8bd5b954f8a4b0b5b6ed560b3e4.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\VistaTcpOpen.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh int tcp set global autotuninglevel=disable3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1084 -s 4522⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\VistaTcpOpen.batFilesize
50B
MD5bce66c36a8152279a15d3a9bde66cb41
SHA1a2df532be03fb049829ad7e0a9658f41663f07d9
SHA256a0c9a1753c6459da695ffab12a8a4922566a664a1063f22c453313afe2bfddc5
SHA51295d1d55c424de373c0e148c4ea98f62d0a7cd287bf166d3de1a1893aa2e89e473dcdee1e081c7501269ba0d690c6a0e0d148a59a825ec40c6294117da8a727ca
-
C:\Users\Admin\AppData\Local\Temp\VistaTcpOpen.batFilesize
50B
MD5bce66c36a8152279a15d3a9bde66cb41
SHA1a2df532be03fb049829ad7e0a9658f41663f07d9
SHA256a0c9a1753c6459da695ffab12a8a4922566a664a1063f22c453313afe2bfddc5
SHA51295d1d55c424de373c0e148c4ea98f62d0a7cd287bf166d3de1a1893aa2e89e473dcdee1e081c7501269ba0d690c6a0e0d148a59a825ec40c6294117da8a727ca
-
memory/1084-57-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/1084-58-0x000000000C700000-0x000000000C701000-memory.dmpFilesize
4KB
-
memory/1084-59-0x000000000F030000-0x000000000F031000-memory.dmpFilesize
4KB
-
memory/1084-60-0x000000000F050000-0x000000000F051000-memory.dmpFilesize
4KB
-
memory/1084-112-0x0000000000400000-0x0000000001400000-memory.dmpFilesize
16.0MB
-
memory/1084-113-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/1084-114-0x000000000C700000-0x000000000C701000-memory.dmpFilesize
4KB
-
memory/1084-115-0x000000000F030000-0x000000000F031000-memory.dmpFilesize
4KB
-
memory/1084-116-0x000000000F050000-0x000000000F051000-memory.dmpFilesize
4KB