b23cb04afe59fee16c95ef5d24a67cb493d4ea88b62f6996e54493548acad6c2

Analysis

max time kernel
120s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01-01-2024 15:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55bc661ad4439400fc434fd6bab66f598c7272854f0453b451e31b84265eff8c.exe
Size

63KB
MD5

8631a8f38c49a008fa27a1206378e144
SHA1

b13d05d99b91fdff5802660218d26c4811e062a0
SHA256

55bc661ad4439400fc434fd6bab66f598c7272854f0453b451e31b84265eff8c
SHA512

989e642115b8453e5b806e70914243f728d38d29493cb75b49981dd390ad155502b2998bb435ec8f9e88ef0a4ca8921fd7a54f5685c4aef5167ee1a0ea16dee0
SSDEEP

768:FWSro9/JJCAaXRCZ+W8UVVMKccxkujVuIbRr4R9FF2GRz:4SE/Db0a+8BccxcIbV4zxz

Score

9^/10

ransomware spyware stealer

Malware Config

Signatures

Renames multiple (52) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Loads dropped DLL 5 IoCs

Processes:

WerFault.exe

pid process

2560 WerFault.exe
2560 WerFault.exe
2560 WerFault.exe
2560 WerFault.exe
2560 WerFault.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2560 2124 WerFault.exe 55bc661ad4439400fc434fd6bab66f598c7272854f0453b451e31b84265eff8c.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

55bc661ad4439400fc434fd6bab66f598c7272854f0453b451e31b84265eff8c.exe

description pid process

Token: SeDebugPrivilege 2124 55bc661ad4439400fc434fd6bab66f598c7272854f0453b451e31b84265eff8c.exe

pid	process
2560	WerFault.exe
2560	WerFault.exe
2560	WerFault.exe
2560	WerFault.exe
2560	WerFault.exe

pid	pid_target	process	target process
2560	2124	WerFault.exe	55bc661ad4439400fc434fd6bab66f598c7272854f0453b451e31b84265eff8c.exe

description	pid	process
Token: SeDebugPrivilege	2124	55bc661ad4439400fc434fd6bab66f598c7272854f0453b451e31b84265eff8c.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

55bc661ad4439400fc434fd6bab66f598c7272854f0453b451e31b84265eff8c.exe

description	pid	process	target process
PID 2124 wrote to memory of 2560	2124	55bc661ad4439400fc434fd6bab66f598c7272854f0453b451e31b84265eff8c.exe	WerFault.exe
PID 2124 wrote to memory of 2560	2124	55bc661ad4439400fc434fd6bab66f598c7272854f0453b451e31b84265eff8c.exe	WerFault.exe
PID 2124 wrote to memory of 2560	2124	55bc661ad4439400fc434fd6bab66f598c7272854f0453b451e31b84265eff8c.exe	WerFault.exe
PID 2124 wrote to memory of 2560	2124	55bc661ad4439400fc434fd6bab66f598c7272854f0453b451e31b84265eff8c.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\55bc661ad4439400fc434fd6bab66f598c7272854f0453b451e31b84265eff8c.exe
"C:\Users\Admin\AppData\Local\Temp\55bc661ad4439400fc434fd6bab66f598c7272854f0453b451e31b84265eff8c.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 1600
2⤵
- Loads dropped DLL
- Program crash
PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabA4D9.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA52A.tmp
Filesize
24KB

MD5
3973164abf630939a1935910abe543d8

SHA1
dc535294fb54c81b46a3c886d4a56d2a52c110b0

SHA256
50e12993ec8ff2547c6c67a60051dba142937e46966e249919ff26b55f59eef9

SHA512
081e358d65b0439f9817cf1d59b90f45859b788aa18f829f11d3727643a37ea4fc6d587e4ad0a01b2b7917122dc235c7a582147d4ba9a6d86b982fa536982279

Download Submit
C:\Users\Admin\Desktop\UnlockYourFiles4.txt
Filesize
301B

MD5
f9229fd9d3acdd20bcc4e3cda98e09d0

SHA1
f6f04d9379762be5bf3fd9a542fb25b2c9542aea

SHA256
9df2c26122c75d33570c827ad0a3d00f1d424278d2513ca5c3aaf8d8c85f5935

SHA512
a662f0a0b1ec68cc03eea68c069422c341ab61a8c4d2a4badbb12a0f9161e8c1dca45deeed4014affa2c6fdb64674d40b8ffd945375c6dfdfe7db234c30b7014

Download Submit
\Users\Admin\AppData\Local\Temp\55bc661ad4439400fc434fd6bab66f598c7272854f0453b451e31b84265eff8c.exe
Filesize
63KB

MD5
8631a8f38c49a008fa27a1206378e144

SHA1
b13d05d99b91fdff5802660218d26c4811e062a0

SHA256
55bc661ad4439400fc434fd6bab66f598c7272854f0453b451e31b84265eff8c

SHA512
989e642115b8453e5b806e70914243f728d38d29493cb75b49981dd390ad155502b2998bb435ec8f9e88ef0a4ca8921fd7a54f5685c4aef5167ee1a0ea16dee0

Download Submit
memory/2124-0-0x00000000000C0000-0x00000000000D8000-memory.dmp

Filesize
96KB

Download
memory/2124-1-0x00000000749E0000-0x00000000750CE000-memory.dmp

Filesize
6.9MB

Download
memory/2124-2-0x0000000004E20000-0x0000000004E60000-memory.dmp

Filesize
256KB

Download
memory/2124-414-0x00000000749E0000-0x00000000750CE000-memory.dmp

Filesize
6.9MB

Download
memory/2124-415-0x0000000004E20000-0x0000000004E60000-memory.dmp

Filesize
256KB

Download