97668a80c7b548b02f7492d106f47a5b0124d86b8705509cbc200dad9f0f8bb1

Analysis

max time kernel
108s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
30/03/2023, 07:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

97668a80c7b548b02f7492d106f47a5b0124d86b8705509cbc200dad9f0f8bb1.exe
Size

1.0MB
MD5

195677bfbdec80ff2551771e2589082b
SHA1

72c384714736ac284d49b7908971e2ee3c7cfdd1
SHA256

97668a80c7b548b02f7492d106f47a5b0124d86b8705509cbc200dad9f0f8bb1
SHA512

3b05bf2e5f7440d0e9ef3dd6304893853cfe43bcd50faff461d0c695334566c90146d7cd71b580c0eb59ccfb68969aacbadd7726cb9f35212f91cb32c580bf0e
SSDEEP

24576:l0a5jQWc7x4TyjheHod9XxeDNmRJLduNtjKaDaxSEFJg:lDcGujPeDN4pu/2XxSEFS

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 13 IoCs

pid	Process
4132	97668a80c7b548b02f7492d106f47a5b0124d86b8705509cbc200dad9f0f8bb1.exe
4132	97668a80c7b548b02f7492d106f47a5b0124d86b8705509cbc200dad9f0f8bb1.exe
4132	97668a80c7b548b02f7492d106f47a5b0124d86b8705509cbc200dad9f0f8bb1.exe
4132	97668a80c7b548b02f7492d106f47a5b0124d86b8705509cbc200dad9f0f8bb1.exe
4132	97668a80c7b548b02f7492d106f47a5b0124d86b8705509cbc200dad9f0f8bb1.exe
4132	97668a80c7b548b02f7492d106f47a5b0124d86b8705509cbc200dad9f0f8bb1.exe
4132	97668a80c7b548b02f7492d106f47a5b0124d86b8705509cbc200dad9f0f8bb1.exe
4132	97668a80c7b548b02f7492d106f47a5b0124d86b8705509cbc200dad9f0f8bb1.exe
4132	97668a80c7b548b02f7492d106f47a5b0124d86b8705509cbc200dad9f0f8bb1.exe
4132	97668a80c7b548b02f7492d106f47a5b0124d86b8705509cbc200dad9f0f8bb1.exe
4132	97668a80c7b548b02f7492d106f47a5b0124d86b8705509cbc200dad9f0f8bb1.exe
4132	97668a80c7b548b02f7492d106f47a5b0124d86b8705509cbc200dad9f0f8bb1.exe
4132	97668a80c7b548b02f7492d106f47a5b0124d86b8705509cbc200dad9f0f8bb1.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\CCBComponents\HDZB\log\20230330.log	97668a80c7b548b02f7492d106f47a5b0124d86b8705509cbc200dad9f0f8bb1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4600	4132	WerFault.exe	86

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4132	97668a80c7b548b02f7492d106f47a5b0124d86b8705509cbc200dad9f0f8bb1.exe
4132	97668a80c7b548b02f7492d106f47a5b0124d86b8705509cbc200dad9f0f8bb1.exe

C:\Users\Admin\AppData\Local\Temp\97668a80c7b548b02f7492d106f47a5b0124d86b8705509cbc200dad9f0f8bb1.exe
"C:\Users\Admin\AppData\Local\Temp\97668a80c7b548b02f7492d106f47a5b0124d86b8705509cbc200dad9f0f8bb1.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:4132
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 880
  2⤵
  - Program crash
  PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4132 -ip 4132
1⤵
PID:1948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsyD0C3.tmp\ExecCmd.dll

Filesize
8KB

MD5
eb691ecf4781fa3b05d338aee7a7592f

SHA1
378bd96307a71d0fe98b9b167e9d63aa9636dbf7

SHA256
a64256176e12708c41ac4449a046dc25333d5246eee4371e8a73edc7ab4c81e8

SHA512
acf622b4c1e75bee0dbd82c35ad9b8f8537e1bf3a17bb93c3f2d0eb6c088bad8391fe72ca8e01f5c840b96656ec8cb230938384f3cef92c9775c3c3621c15a47

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyD0C3.tmp\ExecCmd.dll

Filesize
8KB

MD5
eb691ecf4781fa3b05d338aee7a7592f

SHA1
378bd96307a71d0fe98b9b167e9d63aa9636dbf7

SHA256
a64256176e12708c41ac4449a046dc25333d5246eee4371e8a73edc7ab4c81e8

SHA512
acf622b4c1e75bee0dbd82c35ad9b8f8537e1bf3a17bb93c3f2d0eb6c088bad8391fe72ca8e01f5c840b96656ec8cb230938384f3cef92c9775c3c3621c15a47

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyD0C3.tmp\ExecCmd.dll

Filesize
8KB

MD5
eb691ecf4781fa3b05d338aee7a7592f

SHA1
378bd96307a71d0fe98b9b167e9d63aa9636dbf7

SHA256
a64256176e12708c41ac4449a046dc25333d5246eee4371e8a73edc7ab4c81e8

SHA512
acf622b4c1e75bee0dbd82c35ad9b8f8537e1bf3a17bb93c3f2d0eb6c088bad8391fe72ca8e01f5c840b96656ec8cb230938384f3cef92c9775c3c3621c15a47

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyD0C3.tmp\ExecCmd.dll

Filesize
8KB

MD5
eb691ecf4781fa3b05d338aee7a7592f

SHA1
378bd96307a71d0fe98b9b167e9d63aa9636dbf7

SHA256
a64256176e12708c41ac4449a046dc25333d5246eee4371e8a73edc7ab4c81e8

SHA512
acf622b4c1e75bee0dbd82c35ad9b8f8537e1bf3a17bb93c3f2d0eb6c088bad8391fe72ca8e01f5c840b96656ec8cb230938384f3cef92c9775c3c3621c15a47

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyD0C3.tmp\ExecCmd.dll

Filesize
8KB

MD5
eb691ecf4781fa3b05d338aee7a7592f

SHA1
378bd96307a71d0fe98b9b167e9d63aa9636dbf7

SHA256
a64256176e12708c41ac4449a046dc25333d5246eee4371e8a73edc7ab4c81e8

SHA512
acf622b4c1e75bee0dbd82c35ad9b8f8537e1bf3a17bb93c3f2d0eb6c088bad8391fe72ca8e01f5c840b96656ec8cb230938384f3cef92c9775c3c3621c15a47

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyD0C3.tmp\ExecCmd.dll

Filesize
8KB

MD5
eb691ecf4781fa3b05d338aee7a7592f

SHA1
378bd96307a71d0fe98b9b167e9d63aa9636dbf7

SHA256
a64256176e12708c41ac4449a046dc25333d5246eee4371e8a73edc7ab4c81e8

SHA512
acf622b4c1e75bee0dbd82c35ad9b8f8537e1bf3a17bb93c3f2d0eb6c088bad8391fe72ca8e01f5c840b96656ec8cb230938384f3cef92c9775c3c3621c15a47

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyD0C3.tmp\ExecCmd.dll

Filesize
8KB

MD5
eb691ecf4781fa3b05d338aee7a7592f

SHA1
378bd96307a71d0fe98b9b167e9d63aa9636dbf7

SHA256
a64256176e12708c41ac4449a046dc25333d5246eee4371e8a73edc7ab4c81e8

SHA512
acf622b4c1e75bee0dbd82c35ad9b8f8537e1bf3a17bb93c3f2d0eb6c088bad8391fe72ca8e01f5c840b96656ec8cb230938384f3cef92c9775c3c3621c15a47

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyD0C3.tmp\KillProcDLL.dll

Filesize
41KB

MD5
ec95edf0ce02afd9511b14ad87bd9844

SHA1
83b99d5652df23f4ed42603604f9f8108eec4072

SHA256
062bb420e8a0b7d8fd34dfc345148c925681ad483d137884f4fdffb1d394ff01

SHA512
dc1e0e6e45342232b513d53cde4fcc8845dd55e216430bca7e76bb7eacbc0a06c90ddf7b4f250afc7fbf750c9ea3241ff0bbd8c36d9521a76348288e96b829b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyD0C3.tmp\KillProcDLL.dll

Filesize
41KB

MD5
ec95edf0ce02afd9511b14ad87bd9844

SHA1
83b99d5652df23f4ed42603604f9f8108eec4072

SHA256
062bb420e8a0b7d8fd34dfc345148c925681ad483d137884f4fdffb1d394ff01

SHA512
dc1e0e6e45342232b513d53cde4fcc8845dd55e216430bca7e76bb7eacbc0a06c90ddf7b4f250afc7fbf750c9ea3241ff0bbd8c36d9521a76348288e96b829b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyD0C3.tmp\KillProcDLL.dll

Filesize
41KB

MD5
ec95edf0ce02afd9511b14ad87bd9844

SHA1
83b99d5652df23f4ed42603604f9f8108eec4072

SHA256
062bb420e8a0b7d8fd34dfc345148c925681ad483d137884f4fdffb1d394ff01

SHA512
dc1e0e6e45342232b513d53cde4fcc8845dd55e216430bca7e76bb7eacbc0a06c90ddf7b4f250afc7fbf750c9ea3241ff0bbd8c36d9521a76348288e96b829b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyD0C3.tmp\SimpleSC.dll

Filesize
1.1MB

MD5
7b89329c6d8693fb2f6a4330100490a0

SHA1
851b605cdc1c390c4244db56659b6b9aa8abd22c

SHA256
1620cdf739f459d1d83411f93648f29dcf947a910cc761e85ac79a69639d127d

SHA512
ac07972987ee610a677ea049a8ec521a720f7352d8b93411a95fd4b35ec29bfd1d6ccf55b48f32cc84c3dceef05855f723a88708eb4cf23caec77e7f6596786a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyD0C3.tmp\SimpleSC.dll

Filesize
1.1MB

MD5
7b89329c6d8693fb2f6a4330100490a0

SHA1
851b605cdc1c390c4244db56659b6b9aa8abd22c

SHA256
1620cdf739f459d1d83411f93648f29dcf947a910cc761e85ac79a69639d127d

SHA512
ac07972987ee610a677ea049a8ec521a720f7352d8b93411a95fd4b35ec29bfd1d6ccf55b48f32cc84c3dceef05855f723a88708eb4cf23caec77e7f6596786a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyD0C3.tmp\SimpleSC.dll

Filesize
1.1MB

MD5
7b89329c6d8693fb2f6a4330100490a0

SHA1
851b605cdc1c390c4244db56659b6b9aa8abd22c

SHA256
1620cdf739f459d1d83411f93648f29dcf947a910cc761e85ac79a69639d127d

SHA512
ac07972987ee610a677ea049a8ec521a720f7352d8b93411a95fd4b35ec29bfd1d6ccf55b48f32cc84c3dceef05855f723a88708eb4cf23caec77e7f6596786a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyD0C3.tmp\SimpleSC.dll

Filesize
1.1MB

MD5
7b89329c6d8693fb2f6a4330100490a0

SHA1
851b605cdc1c390c4244db56659b6b9aa8abd22c

SHA256
1620cdf739f459d1d83411f93648f29dcf947a910cc761e85ac79a69639d127d

SHA512
ac07972987ee610a677ea049a8ec521a720f7352d8b93411a95fd4b35ec29bfd1d6ccf55b48f32cc84c3dceef05855f723a88708eb4cf23caec77e7f6596786a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyD0C3.tmp\SimpleSC.dll

Filesize
1.1MB

MD5
7b89329c6d8693fb2f6a4330100490a0

SHA1
851b605cdc1c390c4244db56659b6b9aa8abd22c

SHA256
1620cdf739f459d1d83411f93648f29dcf947a910cc761e85ac79a69639d127d

SHA512
ac07972987ee610a677ea049a8ec521a720f7352d8b93411a95fd4b35ec29bfd1d6ccf55b48f32cc84c3dceef05855f723a88708eb4cf23caec77e7f6596786a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyD0C3.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
memory/4132-156-0x0000000002FD0000-0x00000000030EC000-memory.dmp

Filesize
1.1MB

Download
memory/4132-144-0x0000000002FD0000-0x0000000002FDA000-memory.dmp

Filesize
40KB

Download
memory/4132-185-0x00000000035F0000-0x000000000370C000-memory.dmp

Filesize
1.1MB

Download