28b0e4a555f41d4709a7d180f2b951491efa80d054cad46c887059ac79d75745

Analysis

max time kernel
38s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
08-03-2023 21:39

Target

Installer.exe
Size

5.0MB
MD5

7c54b7057111165aed5885a25a662284
SHA1

2427f02080a0f3040e82731f16d264b686b50d2a
SHA256

28b0e4a555f41d4709a7d180f2b951491efa80d054cad46c887059ac79d75745
SHA512

aa2e8228e1911fc1edbb264b925e01c750dff5a722d1dbe0144e40e497710e87591d9954cc04df8ee6aa92221f79411d3c7d39e1082cb5f0a6f710b4c67895dd
SSDEEP

98304:N9/3GjyyERJicIqAviJXjlsjBKF7ZHSAZginBJzCV9NAi5o8fWw:NlGjyyERMjTvAXjlgK5ZHdZginrCrNAg

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2008 1100 WerFault.exe Installer.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Installer.exe

description pid process

Token: SeDebugPrivilege 1100 Installer.exe

pid	pid_target	process	target process
2008	1100	WerFault.exe	Installer.exe

description	pid	process
Token: SeDebugPrivilege	1100	Installer.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

Installer.exe

description	pid	process	target process
PID 1100 wrote to memory of 1880	1100	Installer.exe	cmd.exe
PID 1100 wrote to memory of 1880	1100	Installer.exe	cmd.exe
PID 1100 wrote to memory of 1880	1100	Installer.exe	cmd.exe
PID 1100 wrote to memory of 1880	1100	Installer.exe	cmd.exe
PID 1100 wrote to memory of 2008	1100	Installer.exe	WerFault.exe
PID 1100 wrote to memory of 2008	1100	Installer.exe	WerFault.exe
PID 1100 wrote to memory of 2008	1100	Installer.exe	WerFault.exe
PID 1100 wrote to memory of 2008	1100	Installer.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Installer.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:1880
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 1320
  2⤵
  - Program crash
  PID:2008

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1100-54-0x0000000000340000-0x0000000000848000-memory.dmp

Filesize
5.0MB

Download
memory/1100-55-0x0000000004F30000-0x0000000004F70000-memory.dmp

Filesize
256KB

Download
memory/1100-56-0x0000000004F30000-0x0000000004F70000-memory.dmp

Filesize
256KB

Download