f29232176aa15e1b291e022b3b851f6f6f3175f428539a350d2fa852ba2bb19f

Analysis

max time kernel
31s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
10/03/2023, 13:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

93f922ec0297bd12a61774a11f85689c86f59f77f5d4641bbd2c403e135bd252.exe
Size

271KB
MD5

2209e362702c9b752a62974dd388a84c
SHA1

124e055556ec0af1b3757ce9484f443d2781fa87
SHA256

93f922ec0297bd12a61774a11f85689c86f59f77f5d4641bbd2c403e135bd252
SHA512

9d1079d61973189456fc39b4365ce16ae55b8d895817f99afdd575a32d82c7383e78f44f038bc5091af2c4e7c06ff0e5388b7b61b79ea17b2a9edef275deb6c7
SSDEEP

6144:/Ya61ibGphhn+C1TCT3rEQup7FrttRGvNhG5fdS2:/YPCGphl1y3rEQcVTRGXG5FS2

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1552	kftphaj.exe
1916	kftphaj.exe

Loads dropped DLL 6 IoCs

pid	Process
1676	93f922ec0297bd12a61774a11f85689c86f59f77f5d4641bbd2c403e135bd252.exe
1676	93f922ec0297bd12a61774a11f85689c86f59f77f5d4641bbd2c403e135bd252.exe
1552	kftphaj.exe
1484	WerFault.exe
1484	WerFault.exe
1484	WerFault.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1552 set thread context of 1916	1552	kftphaj.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1484	1916	WerFault.exe	29

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1552	kftphaj.exe
1552	kftphaj.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 1552	1676	93f922ec0297bd12a61774a11f85689c86f59f77f5d4641bbd2c403e135bd252.exe	28
PID 1676 wrote to memory of 1552	1676	93f922ec0297bd12a61774a11f85689c86f59f77f5d4641bbd2c403e135bd252.exe	28
PID 1676 wrote to memory of 1552	1676	93f922ec0297bd12a61774a11f85689c86f59f77f5d4641bbd2c403e135bd252.exe	28
PID 1676 wrote to memory of 1552	1676	93f922ec0297bd12a61774a11f85689c86f59f77f5d4641bbd2c403e135bd252.exe	28
PID 1552 wrote to memory of 1916	1552	kftphaj.exe	29
PID 1552 wrote to memory of 1916	1552	kftphaj.exe	29
PID 1552 wrote to memory of 1916	1552	kftphaj.exe	29
PID 1552 wrote to memory of 1916	1552	kftphaj.exe	29
PID 1552 wrote to memory of 1916	1552	kftphaj.exe	29
PID 1916 wrote to memory of 1484	1916	kftphaj.exe	30
PID 1916 wrote to memory of 1484	1916	kftphaj.exe	30
PID 1916 wrote to memory of 1484	1916	kftphaj.exe	30
PID 1916 wrote to memory of 1484	1916	kftphaj.exe	30

C:\Users\Admin\AppData\Local\Temp\93f922ec0297bd12a61774a11f85689c86f59f77f5d4641bbd2c403e135bd252.exe
"C:\Users\Admin\AppData\Local\Temp\93f922ec0297bd12a61774a11f85689c86f59f77f5d4641bbd2c403e135bd252.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Users\Admin\AppData\Local\Temp\kftphaj.exe
  "C:\Users\Admin\AppData\Local\Temp\kftphaj.exe" C:\Users\Admin\AppData\Local\Temp\qxfnqwjlyi.f
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1552
- - C:\Users\Admin\AppData\Local\Temp\kftphaj.exe
    "C:\Users\Admin\AppData\Local\Temp\kftphaj.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1916
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 36
      4⤵
      Loads dropped DLL
      Program crash
      PID:1484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\kftphaj.exe

Filesize
52KB

MD5
21bb135344e948794233a96ea6bf2adb

SHA1
8dfc133093bab897393e8c9d1bb9dbcf5e3f18ca

SHA256
c7813d1814349e8c7e9ebcd9516648c4554d3348f0f6d7eeedd2064cd0fe0897

SHA512
94763a851479c0316156d15b151a3adcd96d341062c5f22dd6dc6e23c61eb1a805226b41aa998beac0826a4f208725cdfbc41bb5d232bac898f6925053a19ef4

Download Submit
C:\Users\Admin\AppData\Local\Temp\kftphaj.exe

Filesize
52KB

MD5
21bb135344e948794233a96ea6bf2adb

SHA1
8dfc133093bab897393e8c9d1bb9dbcf5e3f18ca

SHA256
c7813d1814349e8c7e9ebcd9516648c4554d3348f0f6d7eeedd2064cd0fe0897

SHA512
94763a851479c0316156d15b151a3adcd96d341062c5f22dd6dc6e23c61eb1a805226b41aa998beac0826a4f208725cdfbc41bb5d232bac898f6925053a19ef4

Download Submit
C:\Users\Admin\AppData\Local\Temp\kftphaj.exe

Filesize
52KB

MD5
21bb135344e948794233a96ea6bf2adb

SHA1
8dfc133093bab897393e8c9d1bb9dbcf5e3f18ca

SHA256
c7813d1814349e8c7e9ebcd9516648c4554d3348f0f6d7eeedd2064cd0fe0897

SHA512
94763a851479c0316156d15b151a3adcd96d341062c5f22dd6dc6e23c61eb1a805226b41aa998beac0826a4f208725cdfbc41bb5d232bac898f6925053a19ef4

Download Submit
C:\Users\Admin\AppData\Local\Temp\kftphaj.exe

Filesize
52KB

MD5
21bb135344e948794233a96ea6bf2adb

SHA1
8dfc133093bab897393e8c9d1bb9dbcf5e3f18ca

SHA256
c7813d1814349e8c7e9ebcd9516648c4554d3348f0f6d7eeedd2064cd0fe0897

SHA512
94763a851479c0316156d15b151a3adcd96d341062c5f22dd6dc6e23c61eb1a805226b41aa998beac0826a4f208725cdfbc41bb5d232bac898f6925053a19ef4

Download Submit
C:\Users\Admin\AppData\Local\Temp\qxfnqwjlyi.f

Filesize
5KB

MD5
3e8403d2ba74dc9a4cb8d9af3fd44860

SHA1
472aaf113eb89d3537ca205d5da212869ef17753

SHA256
bd45b74c6dfa92ed3a00d4f1b8e461ca7a59d299a1a2e50a80ec9f43c0316d91

SHA512
632706b2cb7eaa5147e1639147c93d514a70eb34fba09132c081c174ca8509c6ca992f556e87462a8f148cb0f14cc1eb1c2ba88c21d45819980e7f78b15d1087

Download Submit
C:\Users\Admin\AppData\Local\Temp\znboa.mw

Filesize
205KB

MD5
91636048bea502e8156f0e07819f7b7f

SHA1
ef07c5692c13ed028fa2c6e3901525b342b0d2ca

SHA256
7599bc96422eb327375884626a98a569d8bcb8ad2a56010f326db39ccb9303ba

SHA512
bfc2ca20500afc2fc8e466f4ff5d20cbd001adc0940dd1a048b466b0ae2528580ddaa6296e7676c52763223506c49d3627f0911169d52560ead3b17f834a1858

Download Submit
\Users\Admin\AppData\Local\Temp\kftphaj.exe

Filesize
52KB

MD5
21bb135344e948794233a96ea6bf2adb

SHA1
8dfc133093bab897393e8c9d1bb9dbcf5e3f18ca

SHA256
c7813d1814349e8c7e9ebcd9516648c4554d3348f0f6d7eeedd2064cd0fe0897

SHA512
94763a851479c0316156d15b151a3adcd96d341062c5f22dd6dc6e23c61eb1a805226b41aa998beac0826a4f208725cdfbc41bb5d232bac898f6925053a19ef4

Download Submit
\Users\Admin\AppData\Local\Temp\kftphaj.exe

Filesize
52KB

MD5
21bb135344e948794233a96ea6bf2adb

SHA1
8dfc133093bab897393e8c9d1bb9dbcf5e3f18ca

SHA256
c7813d1814349e8c7e9ebcd9516648c4554d3348f0f6d7eeedd2064cd0fe0897

SHA512
94763a851479c0316156d15b151a3adcd96d341062c5f22dd6dc6e23c61eb1a805226b41aa998beac0826a4f208725cdfbc41bb5d232bac898f6925053a19ef4

Download Submit
\Users\Admin\AppData\Local\Temp\kftphaj.exe

Filesize
52KB

MD5
21bb135344e948794233a96ea6bf2adb

SHA1
8dfc133093bab897393e8c9d1bb9dbcf5e3f18ca

SHA256
c7813d1814349e8c7e9ebcd9516648c4554d3348f0f6d7eeedd2064cd0fe0897

SHA512
94763a851479c0316156d15b151a3adcd96d341062c5f22dd6dc6e23c61eb1a805226b41aa998beac0826a4f208725cdfbc41bb5d232bac898f6925053a19ef4

Download Submit
\Users\Admin\AppData\Local\Temp\kftphaj.exe

Filesize
52KB

MD5
21bb135344e948794233a96ea6bf2adb

SHA1
8dfc133093bab897393e8c9d1bb9dbcf5e3f18ca

SHA256
c7813d1814349e8c7e9ebcd9516648c4554d3348f0f6d7eeedd2064cd0fe0897

SHA512
94763a851479c0316156d15b151a3adcd96d341062c5f22dd6dc6e23c61eb1a805226b41aa998beac0826a4f208725cdfbc41bb5d232bac898f6925053a19ef4

Download Submit
\Users\Admin\AppData\Local\Temp\kftphaj.exe

Filesize
52KB

MD5
21bb135344e948794233a96ea6bf2adb

SHA1
8dfc133093bab897393e8c9d1bb9dbcf5e3f18ca

SHA256
c7813d1814349e8c7e9ebcd9516648c4554d3348f0f6d7eeedd2064cd0fe0897

SHA512
94763a851479c0316156d15b151a3adcd96d341062c5f22dd6dc6e23c61eb1a805226b41aa998beac0826a4f208725cdfbc41bb5d232bac898f6925053a19ef4

Download Submit
\Users\Admin\AppData\Local\Temp\kftphaj.exe

Filesize
52KB

MD5
21bb135344e948794233a96ea6bf2adb

SHA1
8dfc133093bab897393e8c9d1bb9dbcf5e3f18ca

SHA256
c7813d1814349e8c7e9ebcd9516648c4554d3348f0f6d7eeedd2064cd0fe0897

SHA512
94763a851479c0316156d15b151a3adcd96d341062c5f22dd6dc6e23c61eb1a805226b41aa998beac0826a4f208725cdfbc41bb5d232bac898f6925053a19ef4

Download Submit
memory/1916-69-0x0000000000070000-0x000000000009F000-memory.dmp

Filesize
188KB

Download