f3dbe218bac2da1fabff8364428a0548f03e2c93442082d2c0ed1b2686040e32

Analysis

max time kernel
147s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06-04-2023 16:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

trainerv_7VxI5OpA.exe
Size

4.3MB
MD5

3a0c3723ddc9efd1b7d584e10312576b
SHA1

c695283f4205420f3d9812a6c4b7eb1f4b484063
SHA256

f3dbe218bac2da1fabff8364428a0548f03e2c93442082d2c0ed1b2686040e32
SHA512

b6a645802e9b90e6a0eda5e40e7b48dea2c80c76f59640b50c27c72e78115e31fd161ab98401740a0404382dddcf4d543ff99746bd68363dac61817a3e54e0d2
SSDEEP

98304:QcPNiPea8mdie9Ohxt1rqaAA6YHxkjWvCK90w4LlY/+IbFEmFusXct:xNiPezmdie9MxtgdA6YHuWvB90wklq+V

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

is-G4IAS.tmpCR_DBF.exeCR_DBF.exe

pid process

1936 is-G4IAS.tmp
4468 CR_DBF.exe
1316 CR_DBF.exe
Loads dropped DLL 3 IoCs

Processes:

is-G4IAS.tmp

pid process

1936 is-G4IAS.tmp
1936 is-G4IAS.tmp
1936 is-G4IAS.tmp
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
1936	is-G4IAS.tmp
4468	CR_DBF.exe
1316	CR_DBF.exe

pid	process
1936	is-G4IAS.tmp
1936	is-G4IAS.tmp
1936	is-G4IAS.tmp

Drops file in Program Files directory 24 IoCs

Processes:

is-G4IAS.tmp

description	ioc	process
File created	C:\Program Files (x86)\CR DBF\Demo\is-P4HK2.tmp	is-G4IAS.tmp
File created	C:\Program Files (x86)\CR DBF\Demo\is-BRNBM.tmp	is-G4IAS.tmp
File created	C:\Program Files (x86)\CR DBF\Demo\Supl\is-NMU81.tmp	is-G4IAS.tmp
File created	C:\Program Files (x86)\CR DBF\Demo\Supl\is-D13K2.tmp	is-G4IAS.tmp
File created	C:\Program Files (x86)\CR DBF\Demo\Supl\is-HGS88.tmp	is-G4IAS.tmp
File created	C:\Program Files (x86)\CR DBF\is-ELK4S.tmp	is-G4IAS.tmp
File created	C:\Program Files (x86)\CR DBF\is-I90SI.tmp	is-G4IAS.tmp
File created	C:\Program Files (x86)\CR DBF\Demo\is-GB4G6.tmp	is-G4IAS.tmp
File created	C:\Program Files (x86)\CR DBF\Demo\Supl\is-T815T.tmp	is-G4IAS.tmp
File created	C:\Program Files (x86)\CR DBF\unins000.dat	is-G4IAS.tmp
File created	C:\Program Files (x86)\CR DBF\is-TMT5P.tmp	is-G4IAS.tmp
File created	C:\Program Files (x86)\CR DBF\is-0QHO4.tmp	is-G4IAS.tmp
File created	C:\Program Files (x86)\CR DBF\is-HG490.tmp	is-G4IAS.tmp
File created	C:\Program Files (x86)\CR DBF\is-S63BA.tmp	is-G4IAS.tmp
File opened for modification	C:\Program Files (x86)\CR DBF\RepairDbf.ini	is-G4IAS.tmp
File opened for modification	C:\Program Files (x86)\CR DBF\unins000.dat	is-G4IAS.tmp
File opened for modification	C:\Program Files (x86)\CR DBF\CR_DBF.exe	is-G4IAS.tmp
File created	C:\Program Files (x86)\CR DBF\is-T498V.tmp	is-G4IAS.tmp
File created	C:\Program Files (x86)\CR DBF\Demo\is-VA37K.tmp	is-G4IAS.tmp
File created	C:\Program Files (x86)\CR DBF\Demo\is-SV3IE.tmp	is-G4IAS.tmp
File created	C:\Program Files (x86)\CR DBF\Demo\Supl\is-SEVEM.tmp	is-G4IAS.tmp
File created	C:\Program Files (x86)\CR DBF\Demo\Supl\is-1697S.tmp	is-G4IAS.tmp
File created	C:\Program Files (x86)\CR DBF\Demo\Supl\is-APK8I.tmp	is-G4IAS.tmp
File created	C:\Program Files (x86)\CR DBF\is-DJDVQ.tmp	is-G4IAS.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 17 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
824	4468	WerFault.exe	CR_DBF.exe
2444	4468	WerFault.exe	CR_DBF.exe
1476	4468	WerFault.exe	CR_DBF.exe
4748	1316	WerFault.exe	CR_DBF.exe
2248	1316	WerFault.exe	CR_DBF.exe
4052	1316	WerFault.exe	CR_DBF.exe
1912	1316	WerFault.exe	CR_DBF.exe
1712	1316	WerFault.exe	CR_DBF.exe
4040	1316	WerFault.exe	CR_DBF.exe
2856	1316	WerFault.exe	CR_DBF.exe
2864	1316	WerFault.exe	CR_DBF.exe
1536	1316	WerFault.exe	CR_DBF.exe
1116	1316	WerFault.exe	CR_DBF.exe
2720	1316	WerFault.exe	CR_DBF.exe
4680	1316	WerFault.exe	CR_DBF.exe
4932	1316	WerFault.exe	CR_DBF.exe
4880	1316	WerFault.exe	CR_DBF.exe

Runs net.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

CR_DBF.exe

pid process

1316 CR_DBF.exe
1316 CR_DBF.exe

pid	process
1316	CR_DBF.exe
1316	CR_DBF.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

trainerv_7VxI5OpA.exeis-G4IAS.tmpnet.exenet.exe

description	pid	process	target process
PID 4980 wrote to memory of 1936	4980	trainerv_7VxI5OpA.exe	is-G4IAS.tmp
PID 4980 wrote to memory of 1936	4980	trainerv_7VxI5OpA.exe	is-G4IAS.tmp
PID 4980 wrote to memory of 1936	4980	trainerv_7VxI5OpA.exe	is-G4IAS.tmp
PID 1936 wrote to memory of 2640	1936	is-G4IAS.tmp	net.exe
PID 1936 wrote to memory of 2640	1936	is-G4IAS.tmp	net.exe
PID 1936 wrote to memory of 2640	1936	is-G4IAS.tmp	net.exe
PID 1936 wrote to memory of 4468	1936	is-G4IAS.tmp	CR_DBF.exe
PID 1936 wrote to memory of 4468	1936	is-G4IAS.tmp	CR_DBF.exe
PID 1936 wrote to memory of 4468	1936	is-G4IAS.tmp	CR_DBF.exe
PID 2640 wrote to memory of 1528	2640	net.exe	net1.exe
PID 2640 wrote to memory of 1528	2640	net.exe	net1.exe
PID 2640 wrote to memory of 1528	2640	net.exe	net1.exe
PID 1936 wrote to memory of 4716	1936	is-G4IAS.tmp	net.exe
PID 1936 wrote to memory of 4716	1936	is-G4IAS.tmp	net.exe
PID 1936 wrote to memory of 4716	1936	is-G4IAS.tmp	net.exe
PID 1936 wrote to memory of 1316	1936	is-G4IAS.tmp	CR_DBF.exe
PID 1936 wrote to memory of 1316	1936	is-G4IAS.tmp	CR_DBF.exe
PID 1936 wrote to memory of 1316	1936	is-G4IAS.tmp	CR_DBF.exe
PID 4716 wrote to memory of 2044	4716	net.exe	net1.exe
PID 4716 wrote to memory of 2044	4716	net.exe	net1.exe
PID 4716 wrote to memory of 2044	4716	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\trainerv_7VxI5OpA.exe
"C:\Users\Admin\AppData\Local\Temp\trainerv_7VxI5OpA.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4980
- C:\Users\Admin\AppData\Local\Temp\is-UA1HG.tmp\is-G4IAS.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-UA1HG.tmp\is-G4IAS.tmp" /SL4 $B006A "C:\Users\Admin\AppData\Local\Temp\trainerv_7VxI5OpA.exe" 4258240 51712
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" helpmsg 31
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 helpmsg 31
      4⤵
      PID:1528
- - C:\Program Files (x86)\CR DBF\CR_DBF.exe
    "C:\Program Files (x86)\CR DBF\CR_DBF.exe"
    3⤵
    - Executes dropped EXE
    PID:4468
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 868
      4⤵
      Program crash
      PID:824
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 904
      4⤵
      Program crash
      PID:2444
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 140
      4⤵
      Program crash
      PID:1476
- - C:\Program Files (x86)\CR DBF\CR_DBF.exe
    "C:\Program Files (x86)\CR DBF\CR_DBF.exe" 0eb237d1d48855f4296a6c8a5ffe762e
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1316
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 852
      4⤵
      Program crash
      PID:4748
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 860
      4⤵
      Program crash
      PID:2248
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 948
      4⤵
      Program crash
      PID:4052
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 1052
      4⤵
      Program crash
      PID:1912
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 1092
      4⤵
      Program crash
      PID:1712
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 1140
      4⤵
      Program crash
      PID:4040
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 1136
      4⤵
      Program crash
      PID:2856
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 1296
      4⤵
      Program crash
      PID:2864
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 1304
      4⤵
      Program crash
      PID:1536
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 1160
      4⤵
      Program crash
      PID:1116
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 968
      4⤵
      Program crash
      PID:2720
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 1624
      4⤵
      Program crash
      PID:4680
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 1308
      4⤵
      Program crash
      PID:4932
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 1284
      4⤵
      Program crash
      PID:4880
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" pause ImageComparer45
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4716
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 pause ImageComparer45
      4⤵
      PID:2044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4468 -ip 4468
1⤵
PID:1280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4468 -ip 4468
1⤵
PID:368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4468 -ip 4468
1⤵
PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1316 -ip 1316
1⤵
PID:2304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1316 -ip 1316
1⤵
PID:1244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1316 -ip 1316
1⤵
PID:3608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1316 -ip 1316
1⤵
PID:2512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1316 -ip 1316
1⤵
PID:2460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1316 -ip 1316
1⤵
PID:1312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1316 -ip 1316
1⤵
PID:3020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1316 -ip 1316
1⤵
PID:2036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1316 -ip 1316
1⤵
PID:2308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1316 -ip 1316
1⤵
PID:740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1316 -ip 1316
1⤵
PID:3956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1316 -ip 1316
1⤵
PID:1384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1316 -ip 1316
1⤵
PID:3260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1316 -ip 1316
1⤵
PID:4848

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\CR DBF\CR_DBF.exe

Filesize
4.9MB

MD5
79da488660a746317460186c7249b23d

SHA1
2dac925d6ee81de84884cf6fa5bad5b4a742082c

SHA256
f2ed309f8a47d4cf8193d656f3d27a5dacb216e1a4cf69d78e8eb8715cd8cc1a

SHA512
28abf2d199a9f5258abb74d01b693f3c64e4e929a1bd1565d4d352317f12381a7368b14c06f493f94b4a300501721a84f51da45dac0cbfffc2de9706b2dfbce2

Download Submit
C:\Program Files (x86)\CR DBF\CR_DBF.exe

Filesize
4.9MB

MD5
79da488660a746317460186c7249b23d

SHA1
2dac925d6ee81de84884cf6fa5bad5b4a742082c

SHA256
f2ed309f8a47d4cf8193d656f3d27a5dacb216e1a4cf69d78e8eb8715cd8cc1a

SHA512
28abf2d199a9f5258abb74d01b693f3c64e4e929a1bd1565d4d352317f12381a7368b14c06f493f94b4a300501721a84f51da45dac0cbfffc2de9706b2dfbce2

Download Submit
C:\Program Files (x86)\CR DBF\RepairDbf.ini

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\CR DBF\RepairDbf.ini

Filesize
25KB

MD5
7adb701058d924f9419d7cdd8b903d99

SHA1
141a0841b0a9362de489ebb6fa1f010faeaa53e0

SHA256
a92e29d8d40aa8f332bf0adaf811176429a23aa0ceb022cec36cff41fc84dea2

SHA512
e6fdbfec972e77f3bb271ed9f8469d9f8b7ef278b1a95ef5926563592577473e86298ceb7a370d629b0e706387ec811757fb6e177da5442947f9b611595a544f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NNQ7T.tmp\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NNQ7T.tmp\_isdecmp.dll

Filesize
12KB

MD5
7cee19d7e00e9a35fc5e7884fd9d1ad8

SHA1
2c5e8de13bdb6ddc290a9596113f77129ecd26bc

SHA256
58ee49d4b4f6def91c6561fc5a1b73bc86d8a01b23ce0c8ddbf0ed11f13d5ace

SHA512
a6955f5aff467f199236ed8a57f4d97af915a3ae81711ff8292e66e66c9f7ee307d7d7aafce09a1bd33c8f7983694cb207fc980d6c3323b475de6278d37bdde8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NNQ7T.tmp\_isdecmp.dll

Filesize
12KB

MD5
7cee19d7e00e9a35fc5e7884fd9d1ad8

SHA1
2c5e8de13bdb6ddc290a9596113f77129ecd26bc

SHA256
58ee49d4b4f6def91c6561fc5a1b73bc86d8a01b23ce0c8ddbf0ed11f13d5ace

SHA512
a6955f5aff467f199236ed8a57f4d97af915a3ae81711ff8292e66e66c9f7ee307d7d7aafce09a1bd33c8f7983694cb207fc980d6c3323b475de6278d37bdde8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UA1HG.tmp\is-G4IAS.tmp

Filesize
643KB

MD5
72d3c1e3acb10e576f02c9b635ee58d8

SHA1
00345a3076ade8192bf3298e16d5fdf754daf793

SHA256
4ccf3c1393e21c1fb0e525da285d125e9773bb1d554d830b3219f894e3b59fd7

SHA512
30a5c390dbee02ae57e520c118a53e7cfb89bda244c01b519e5fa4ca8b5b2d88c92b99141a720bfc24acc946170e087b2e8ad01f76c83931b1d039dce1f3133a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UA1HG.tmp\is-G4IAS.tmp

Filesize
643KB

MD5
72d3c1e3acb10e576f02c9b635ee58d8

SHA1
00345a3076ade8192bf3298e16d5fdf754daf793

SHA256
4ccf3c1393e21c1fb0e525da285d125e9773bb1d554d830b3219f894e3b59fd7

SHA512
30a5c390dbee02ae57e520c118a53e7cfb89bda244c01b519e5fa4ca8b5b2d88c92b99141a720bfc24acc946170e087b2e8ad01f76c83931b1d039dce1f3133a

Download Submit
memory/1316-277-0x00000000040C0000-0x00000000040C1000-memory.dmp

Filesize
4KB

Download
memory/1316-276-0x0000000000400000-0x00000000016DC000-memory.dmp

Filesize
18.9MB

Download
memory/1316-280-0x0000000000400000-0x00000000016DC000-memory.dmp

Filesize
18.9MB

Download
memory/1316-281-0x0000000000400000-0x00000000016DC000-memory.dmp

Filesize
18.9MB

Download
memory/1316-282-0x00000000040C0000-0x00000000040C1000-memory.dmp

Filesize
4KB

Download
memory/1316-285-0x0000000000400000-0x00000000016DC000-memory.dmp

Filesize
18.9MB

Download
memory/1936-153-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/1936-279-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/4468-269-0x0000000000400000-0x00000000016DC000-memory.dmp

Filesize
18.9MB

Download
memory/4468-270-0x0000000004200000-0x0000000004201000-memory.dmp

Filesize
4KB

Download
memory/4468-272-0x0000000000400000-0x00000000016DC000-memory.dmp

Filesize
18.9MB

Download
memory/4980-133-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4980-278-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download