c680866af40f12d71ea30dbc0ba4d02132b64cff08305df0f0827aed7fe99dd1

Analysis

max time kernel
145s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
16-03-2023 12:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

245KB
MD5

354b3a49c2eb26b415dad675be798021
SHA1

ab564aa0f4b8c1bb4840e5d53cf22bda139a8417
SHA256

c680866af40f12d71ea30dbc0ba4d02132b64cff08305df0f0827aed7fe99dd1
SHA512

0e7d8fd3dbfddae84f794630f71cd5e08ca82d08047ac04fdd754521e5ea42a326967da61b3c85762fcead5eeaa9c73ba60f073611379dd788ce6909652602c4
SSDEEP

6144:bYJs4DXb74q3uYqTKRPRdqZThdIQJeyG:bYiw8guYq2Xahdxe

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1324	svcservice.exe

Loads dropped DLL 7 IoCs

pid	Process
1712	file.exe
1712	file.exe
1108	WerFault.exe
1108	WerFault.exe
1108	WerFault.exe
1108	WerFault.exe
1108	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe"	file.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1108	1324	WerFault.exe	28

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 1324	1712	file.exe	28
PID 1712 wrote to memory of 1324	1712	file.exe	28
PID 1712 wrote to memory of 1324	1712	file.exe	28
PID 1712 wrote to memory of 1324	1712	file.exe	28
PID 1324 wrote to memory of 1108	1324	svcservice.exe	31
PID 1324 wrote to memory of 1108	1324	svcservice.exe	31
PID 1324 wrote to memory of 1108	1324	svcservice.exe	31
PID 1324 wrote to memory of 1108	1324	svcservice.exe	31

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
  "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1324
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1324 -s 556
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
331.8MB

MD5
dc9aede6907974e95866ec80b6a33e26

SHA1
ebedcec576640d7a1dbc2b400dc41e57b9aa7da2

SHA256
f8c59d67de5549e022afa02ea466918a4438fa05b9e1033780f6bee218175621

SHA512
99ae3c124ef3a6ae6cd8f54382e9021190e29294234db284fae370174093224500a97a33864b5be0194c77a6f6df942f806cd56c6fe96fded14fa755e9816e3d

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
331.3MB

MD5
58ed3779d3bbbb4b9ecefae84fe32eae

SHA1
b868f3dd2763f3579d7cbfa6aff60123aa734742

SHA256
7dea04fec64ed7ba0195172a9b525fb160a247d3e151bf1eb04a918b1571a6ed

SHA512
ea994c7d27deae0af98a1c38f7270fc6171026813c1203c3c4a2150491068a3d344d583ab2e4bf4ea48ffeef96f1f79fdf0f1fd0b4a5da6045d4bc6ad7aae1a0

Download Submit
\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
312.5MB

MD5
a72165939b20ed7d2fb9214694ff5f2e

SHA1
43b519985864444614722f7840ce5ca9bb88204d

SHA256
5f53cdcb145964ed0ed3208eeeca6a85572a1fed968d9aca87f74d132bae5691

SHA512
f49e67b6bffb05d30fab7c7f90e0158def2ccb127f02f937052e53adbc612463cec338ace67b550158a988422dfbd19a63245414ec9a7e870ea60b85299e2bd9

Download Submit
\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
330.4MB

MD5
15600823362600284686b43851c50127

SHA1
d5360cf8b25362eb7fe4a58152250abdc27e3db0

SHA256
cc98e686017868deae623365a0eab30c080c547b739e6b45f8a07ebbbbfa843d

SHA512
1a12573ab9d37c027c645a84dc9e0cab47e1ac2fd3ee1544c1ed91cf4ca0b41bb92d0dc60e8c4d879442d3b364c442d1279676bc7fc473ac519bb40bd9592fa7

Download Submit
\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
231.8MB

MD5
632e10b2c6e650de98f11c82fe2c68c0

SHA1
bcef9985eac016a3e6848bcfcc62cffb48646aad

SHA256
aa48423ac92fcb19134e481d809503a25702d49ff53cb1ab23f0b64c30621dcb

SHA512
d2f6eb8828db895444777d4907d5cc08dd08f573d74f2430d54842f4291e5d35bdf9d7f0cc290193bb236b4961003c127bb46f8ee1f8090827eda0e115f95d56

Download Submit
\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
182.2MB

MD5
ca2d79222eda67e3f31b7894bea4895b

SHA1
f86f050a801f3b685709433a4712d91709997ef2

SHA256
7a164ffeee4e53d0aae9e0109ab34cc2b922bbc7e0e99d4027cfd37ad54845ba

SHA512
e706dee4b6c273773ba63e149aaf97766112039f76b17b75a550397fc54039624e20eb1fe0b5ad0f158590b204437a21d0aececf22ddfd71130595cca9025e98

Download Submit
\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
196.0MB

MD5
cf801339e1cf98d07e183db49b49ee9c

SHA1
e1d2962fa4e021861767cf16729e74fb560cbdb9

SHA256
4c79ebdcc4b8ece2622629c010d671cdbdb860a786c14802472021b83ba65ec6

SHA512
8f5a301b51f8d6906fc893a89d3c836d79738854fe914ebd6ca0bb943383ade2709d8df4629eff89bb7486fc59a4e7f140eb5658d5ccb167c4f9f37c7464494e

Download Submit
\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
173.2MB

MD5
154f7d27abc749effd653409987a9fe9

SHA1
9a63b2a6449ba10a7834d6c97359852e9174caf5

SHA256
e48d5a13dbe52fc95e1c04e5c788eb0da5a8cf897c6ab8c03aead2a1493a7814

SHA512
22e01427dc2b1383b9f4e0249e5b47c7842cd6d9bfa8ff9624192e2da5e769c88567f476d4e8cb3440f0f8b4afbfa7a7fa5e529673908fdd087312df09691182

Download Submit
\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
212.4MB

MD5
99b10afd78c54f75c2d08293decf5430

SHA1
d0e08568f35edcc0c9827a03e8c54e935f6ca6b2

SHA256
56baeb60742013ace2987a0c76491d90d3cb40f69557a53af9564ffab74b4907

SHA512
0f69ff8bb09e03b0291e2f9513fd81554f42187ad563c7ded066caccf6d5712fb3c72e00ae3178bb19f49eb4286f3dfc7ba9f93b74570c5494a3dacf4b4a2109

Download Submit
memory/1324-67-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1712-55-0x00000000001B0000-0x00000000001EE000-memory.dmp

Filesize
248KB

Download
memory/1712-65-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download