8701f0c0b71ac2f9214a565721adadff6bfad4705e219d712f0742b03b7be518

Analysis

max time kernel
84s
max time network
63s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
15-03-2023 07:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

569KB
MD5

44141a0e32ba57ab5c42a7d18a3745ce
SHA1

ca3300147a6777904baffd74d70b2c79d6dced72
SHA256

8701f0c0b71ac2f9214a565721adadff6bfad4705e219d712f0742b03b7be518
SHA512

757c2d25f29a85daf79fa9fe45905e0612cd8052f9586dc08f8ad0218ce5de6281ae172841b04620dabec37b440fb5fd949337018d349a6f088971e7ef1e171c
SSDEEP

12288:l+Q5UdA+06SBPOZLVeIQYSsWmal37ckvPG9o8z:EQ5UdT06SVwVfQfsf03Ak29o8z

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1456	tmp.exe

Loads dropped DLL 6 IoCs

pid	Process
580	taskeng.exe
1340	WerFault.exe
1340	WerFault.exe
1340	WerFault.exe
1340	WerFault.exe
1340	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1340	1456	WerFault.exe	29

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
340	powershell.exe
1456	tmp.exe
1456	tmp.exe
1456	tmp.exe
1456	tmp.exe
1456	tmp.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1624	tmp.exe
Token: SeDebugPrivilege	340	powershell.exe
Token: SeDebugPrivilege	1456	tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 340	1624	tmp.exe	26
PID 1624 wrote to memory of 340	1624	tmp.exe	26
PID 1624 wrote to memory of 340	1624	tmp.exe	26
PID 580 wrote to memory of 1456	580	taskeng.exe	29
PID 580 wrote to memory of 1456	580	taskeng.exe	29
PID 580 wrote to memory of 1456	580	taskeng.exe	29
PID 1456 wrote to memory of 1340	1456	tmp.exe	31
PID 1456 wrote to memory of 1340	1456	tmp.exe	31
PID 1456 wrote to memory of 1340	1456	tmp.exe	31

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -Seconds 3; Set-MpPreference -ExclusionPath C:\
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:340

C:\Windows\system32\taskeng.exe
taskeng.exe {C662726E-5F49-41E1-BEE9-5F4235E7A1D7} S-1-5-21-1914912747-3343861975-731272777-1000:TMRJMUQF\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:580
- C:\Users\Admin\AppData\Roaming\tmp.exe
  C:\Users\Admin\AppData\Roaming\tmp.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1456
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 1456 -s 1184
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\tmp.exe

Filesize
569KB

MD5
44141a0e32ba57ab5c42a7d18a3745ce

SHA1
ca3300147a6777904baffd74d70b2c79d6dced72

SHA256
8701f0c0b71ac2f9214a565721adadff6bfad4705e219d712f0742b03b7be518

SHA512
757c2d25f29a85daf79fa9fe45905e0612cd8052f9586dc08f8ad0218ce5de6281ae172841b04620dabec37b440fb5fd949337018d349a6f088971e7ef1e171c

Download Submit
C:\Users\Admin\AppData\Roaming\tmp.exe

Filesize
569KB

MD5
44141a0e32ba57ab5c42a7d18a3745ce

SHA1
ca3300147a6777904baffd74d70b2c79d6dced72

SHA256
8701f0c0b71ac2f9214a565721adadff6bfad4705e219d712f0742b03b7be518

SHA512
757c2d25f29a85daf79fa9fe45905e0612cd8052f9586dc08f8ad0218ce5de6281ae172841b04620dabec37b440fb5fd949337018d349a6f088971e7ef1e171c

Download Submit
\Users\Admin\AppData\Roaming\tmp.exe

Filesize
569KB

MD5
44141a0e32ba57ab5c42a7d18a3745ce

SHA1
ca3300147a6777904baffd74d70b2c79d6dced72

SHA256
8701f0c0b71ac2f9214a565721adadff6bfad4705e219d712f0742b03b7be518

SHA512
757c2d25f29a85daf79fa9fe45905e0612cd8052f9586dc08f8ad0218ce5de6281ae172841b04620dabec37b440fb5fd949337018d349a6f088971e7ef1e171c

Download Submit
\Users\Admin\AppData\Roaming\tmp.exe

Filesize
569KB

MD5
44141a0e32ba57ab5c42a7d18a3745ce

SHA1
ca3300147a6777904baffd74d70b2c79d6dced72

SHA256
8701f0c0b71ac2f9214a565721adadff6bfad4705e219d712f0742b03b7be518

SHA512
757c2d25f29a85daf79fa9fe45905e0612cd8052f9586dc08f8ad0218ce5de6281ae172841b04620dabec37b440fb5fd949337018d349a6f088971e7ef1e171c

Download Submit
\Users\Admin\AppData\Roaming\tmp.exe

Filesize
569KB

MD5
44141a0e32ba57ab5c42a7d18a3745ce

SHA1
ca3300147a6777904baffd74d70b2c79d6dced72

SHA256
8701f0c0b71ac2f9214a565721adadff6bfad4705e219d712f0742b03b7be518

SHA512
757c2d25f29a85daf79fa9fe45905e0612cd8052f9586dc08f8ad0218ce5de6281ae172841b04620dabec37b440fb5fd949337018d349a6f088971e7ef1e171c

Download Submit
\Users\Admin\AppData\Roaming\tmp.exe

Filesize
569KB

MD5
44141a0e32ba57ab5c42a7d18a3745ce

SHA1
ca3300147a6777904baffd74d70b2c79d6dced72

SHA256
8701f0c0b71ac2f9214a565721adadff6bfad4705e219d712f0742b03b7be518

SHA512
757c2d25f29a85daf79fa9fe45905e0612cd8052f9586dc08f8ad0218ce5de6281ae172841b04620dabec37b440fb5fd949337018d349a6f088971e7ef1e171c

Download Submit
\Users\Admin\AppData\Roaming\tmp.exe

Filesize
569KB

MD5
44141a0e32ba57ab5c42a7d18a3745ce

SHA1
ca3300147a6777904baffd74d70b2c79d6dced72

SHA256
8701f0c0b71ac2f9214a565721adadff6bfad4705e219d712f0742b03b7be518

SHA512
757c2d25f29a85daf79fa9fe45905e0612cd8052f9586dc08f8ad0218ce5de6281ae172841b04620dabec37b440fb5fd949337018d349a6f088971e7ef1e171c

Download Submit
\Users\Admin\AppData\Roaming\tmp.exe

Filesize
569KB

MD5
44141a0e32ba57ab5c42a7d18a3745ce

SHA1
ca3300147a6777904baffd74d70b2c79d6dced72

SHA256
8701f0c0b71ac2f9214a565721adadff6bfad4705e219d712f0742b03b7be518

SHA512
757c2d25f29a85daf79fa9fe45905e0612cd8052f9586dc08f8ad0218ce5de6281ae172841b04620dabec37b440fb5fd949337018d349a6f088971e7ef1e171c

Download Submit
memory/340-2258-0x0000000001DC0000-0x0000000001E40000-memory.dmp

Filesize
512KB

Download
memory/340-2259-0x0000000001DC0000-0x0000000001E40000-memory.dmp

Filesize
512KB

Download
memory/340-2260-0x000000001AFE0000-0x000000001B2C2000-memory.dmp

Filesize
2.9MB

Download
memory/340-2261-0x0000000002040000-0x0000000002048000-memory.dmp

Filesize
32KB

Download
memory/340-2263-0x0000000001DC0000-0x0000000001E40000-memory.dmp

Filesize
512KB

Download
memory/340-2264-0x0000000001DC0000-0x0000000001E40000-memory.dmp

Filesize
512KB

Download
memory/1456-4464-0x000000001B9E0000-0x000000001BA60000-memory.dmp

Filesize
512KB

Download
memory/1456-4471-0x000000001B9E0000-0x000000001BA60000-memory.dmp

Filesize
512KB

Download
memory/1456-4470-0x000000001B9E0000-0x000000001BA60000-memory.dmp

Filesize
512KB

Download
memory/1456-2269-0x000000013F7C0000-0x000000013F852000-memory.dmp

Filesize
584KB

Download
memory/1456-2455-0x000000001B9E0000-0x000000001BA60000-memory.dmp

Filesize
512KB

Download
memory/1456-4463-0x000000001B9E0000-0x000000001BA60000-memory.dmp

Filesize
512KB

Download
memory/1456-4465-0x000000001B9E0000-0x000000001BA60000-memory.dmp

Filesize
512KB

Download
memory/1624-86-0x000000001ADA0000-0x000000001AE78000-memory.dmp

Filesize
864KB

Download
memory/1624-79-0x000000001B3C0000-0x000000001B440000-memory.dmp

Filesize
512KB

Download
memory/1624-96-0x000000001ADA0000-0x000000001AE78000-memory.dmp

Filesize
864KB

Download
memory/1624-92-0x000000001ADA0000-0x000000001AE78000-memory.dmp

Filesize
864KB

Download
memory/1624-100-0x000000001ADA0000-0x000000001AE78000-memory.dmp

Filesize
864KB

Download
memory/1624-102-0x000000001ADA0000-0x000000001AE78000-memory.dmp

Filesize
864KB

Download
memory/1624-108-0x000000001ADA0000-0x000000001AE78000-memory.dmp

Filesize
864KB

Download
memory/1624-112-0x000000001ADA0000-0x000000001AE78000-memory.dmp

Filesize
864KB

Download
memory/1624-110-0x000000001ADA0000-0x000000001AE78000-memory.dmp

Filesize
864KB

Download
memory/1624-114-0x000000001ADA0000-0x000000001AE78000-memory.dmp

Filesize
864KB

Download
memory/1624-106-0x000000001ADA0000-0x000000001AE78000-memory.dmp

Filesize
864KB

Download
memory/1624-104-0x000000001ADA0000-0x000000001AE78000-memory.dmp

Filesize
864KB

Download
memory/1624-116-0x000000001ADA0000-0x000000001AE78000-memory.dmp

Filesize
864KB

Download
memory/1624-118-0x000000001ADA0000-0x000000001AE78000-memory.dmp

Filesize
864KB

Download
memory/1624-120-0x000000001ADA0000-0x000000001AE78000-memory.dmp

Filesize
864KB

Download
memory/1624-2249-0x00000000020B0000-0x0000000002106000-memory.dmp

Filesize
344KB

Download
memory/1624-2250-0x000000001B3C0000-0x000000001B440000-memory.dmp

Filesize
512KB

Download
memory/1624-2251-0x00000000022D0000-0x000000000231C000-memory.dmp

Filesize
304KB

Download
memory/1624-2252-0x00000000023B0000-0x0000000002404000-memory.dmp

Filesize
336KB

Download
memory/1624-94-0x000000001ADA0000-0x000000001AE78000-memory.dmp

Filesize
864KB

Download
memory/1624-90-0x000000001ADA0000-0x000000001AE78000-memory.dmp

Filesize
864KB

Download
memory/1624-98-0x000000001ADA0000-0x000000001AE78000-memory.dmp

Filesize
864KB

Download
memory/1624-88-0x000000001ADA0000-0x000000001AE78000-memory.dmp

Filesize
864KB

Download
memory/1624-2262-0x000000001B3C6000-0x000000001B3FD000-memory.dmp

Filesize
220KB

Download
memory/1624-80-0x000000001ADA0000-0x000000001AE78000-memory.dmp

Filesize
864KB

Download
memory/1624-84-0x000000001ADA0000-0x000000001AE78000-memory.dmp

Filesize
864KB

Download
memory/1624-54-0x000000013FCA0000-0x000000013FD32000-memory.dmp

Filesize
584KB

Download
memory/1624-82-0x000000001ADA0000-0x000000001AE78000-memory.dmp

Filesize
864KB

Download
memory/1624-77-0x000000001ADA0000-0x000000001AE78000-memory.dmp

Filesize
864KB

Download
memory/1624-75-0x000000001ADA0000-0x000000001AE78000-memory.dmp

Filesize
864KB

Download
memory/1624-73-0x000000001ADA0000-0x000000001AE78000-memory.dmp

Filesize
864KB

Download
memory/1624-71-0x000000001ADA0000-0x000000001AE78000-memory.dmp

Filesize
864KB

Download
memory/1624-69-0x000000001ADA0000-0x000000001AE78000-memory.dmp

Filesize
864KB

Download
memory/1624-61-0x000000001ADA0000-0x000000001AE78000-memory.dmp

Filesize
864KB

Download
memory/1624-67-0x000000001ADA0000-0x000000001AE78000-memory.dmp

Filesize
864KB

Download
memory/1624-65-0x000000001ADA0000-0x000000001AE78000-memory.dmp

Filesize
864KB

Download
memory/1624-63-0x000000001ADA0000-0x000000001AE78000-memory.dmp

Filesize
864KB

Download
memory/1624-59-0x000000001ADA0000-0x000000001AE78000-memory.dmp

Filesize
864KB

Download
memory/1624-56-0x000000001ADA0000-0x000000001AE78000-memory.dmp

Filesize
864KB

Download
memory/1624-57-0x000000001ADA0000-0x000000001AE78000-memory.dmp

Filesize
864KB

Download
memory/1624-55-0x000000001ADA0000-0x000000001AE7C000-memory.dmp

Filesize
880KB

Download