d171d6bfdf320dd4cb4f29596bdd63b41272d087b5e61edc8e0eb47c68fc5cad

General

Target

Urgent RFQ_AP65425652_032421,pdf.exe
Size

795KB
MD5

2c01f256b290b5366e18d6cf17ab20dd
SHA1

cd50c60b4f6a9fc43c6aa7d0b8c03cc1ff465046
SHA256

d171d6bfdf320dd4cb4f29596bdd63b41272d087b5e61edc8e0eb47c68fc5cad
SHA512

e905f448f1864a96ca86bec75bbade8443b5fae0efa6ea19614ce06f2879b27cb438d22b360d0e032f609d2efb1978d8f3cd4a9be16a952a0473be8f9e615d6e

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Netplwiz.exeNetplwiz.exe

pid process

1320 Netplwiz.exe
1344 Netplwiz.exe

pid	process
1320	Netplwiz.exe
1344	Netplwiz.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Urgent RFQ_AP65425652_032421,pdf.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Vawrfz = "C:\\Users\\Public\\Libraries\\zfrwaV.url"	Urgent RFQ_AP65425652_032421,pdf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1388 544 WerFault.exe dialer.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

1388 WerFault.exe
1388 WerFault.exe
1388 WerFault.exe
1388 WerFault.exe
1388 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

cmd.exeWerFault.exe

pid process

1648 cmd.exe
1388 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1388 WerFault.exe

pid	pid_target	process	target process
1388	544	WerFault.exe	dialer.exe

pid	process
1388	WerFault.exe
1388	WerFault.exe
1388	WerFault.exe
1388	WerFault.exe
1388	WerFault.exe

pid	process
1648	cmd.exe
1388	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1388	WerFault.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

Urgent RFQ_AP65425652_032421,pdf.exedialer.execmd.exe

description	pid	process	target process
PID 1632 wrote to memory of 544	1632	Urgent RFQ_AP65425652_032421,pdf.exe	dialer.exe
PID 1632 wrote to memory of 544	1632	Urgent RFQ_AP65425652_032421,pdf.exe	dialer.exe
PID 1632 wrote to memory of 544	1632	Urgent RFQ_AP65425652_032421,pdf.exe	dialer.exe
PID 1632 wrote to memory of 544	1632	Urgent RFQ_AP65425652_032421,pdf.exe	dialer.exe
PID 1632 wrote to memory of 544	1632	Urgent RFQ_AP65425652_032421,pdf.exe	dialer.exe
PID 1632 wrote to memory of 544	1632	Urgent RFQ_AP65425652_032421,pdf.exe	dialer.exe
PID 1632 wrote to memory of 544	1632	Urgent RFQ_AP65425652_032421,pdf.exe	dialer.exe
PID 1632 wrote to memory of 544	1632	Urgent RFQ_AP65425652_032421,pdf.exe	dialer.exe
PID 1632 wrote to memory of 544	1632	Urgent RFQ_AP65425652_032421,pdf.exe	dialer.exe
PID 1632 wrote to memory of 544	1632	Urgent RFQ_AP65425652_032421,pdf.exe	dialer.exe
PID 1632 wrote to memory of 544	1632	Urgent RFQ_AP65425652_032421,pdf.exe	dialer.exe
PID 1632 wrote to memory of 544	1632	Urgent RFQ_AP65425652_032421,pdf.exe	dialer.exe
PID 1632 wrote to memory of 544	1632	Urgent RFQ_AP65425652_032421,pdf.exe	dialer.exe
PID 1632 wrote to memory of 544	1632	Urgent RFQ_AP65425652_032421,pdf.exe	dialer.exe
PID 1632 wrote to memory of 544	1632	Urgent RFQ_AP65425652_032421,pdf.exe	dialer.exe
PID 1632 wrote to memory of 544	1632	Urgent RFQ_AP65425652_032421,pdf.exe	dialer.exe
PID 1632 wrote to memory of 1804	1632	Urgent RFQ_AP65425652_032421,pdf.exe	cmd.exe
PID 1632 wrote to memory of 1804	1632	Urgent RFQ_AP65425652_032421,pdf.exe	cmd.exe
PID 1632 wrote to memory of 1804	1632	Urgent RFQ_AP65425652_032421,pdf.exe	cmd.exe
PID 1632 wrote to memory of 1804	1632	Urgent RFQ_AP65425652_032421,pdf.exe	cmd.exe
PID 544 wrote to memory of 1388	544	dialer.exe	WerFault.exe
PID 544 wrote to memory of 1388	544	dialer.exe	WerFault.exe
PID 544 wrote to memory of 1388	544	dialer.exe	WerFault.exe
PID 544 wrote to memory of 1388	544	dialer.exe	WerFault.exe
PID 1804 wrote to memory of 1648	1804	cmd.exe	cmd.exe
PID 1804 wrote to memory of 1648	1804	cmd.exe	cmd.exe
PID 1804 wrote to memory of 1648	1804	cmd.exe	cmd.exe
PID 1804 wrote to memory of 1648	1804	cmd.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Urgent RFQ_AP65425652_032421,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Urgent RFQ_AP65425652_032421,pdf.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\SysWOW64\dialer.exe
C:\Windows\System32\dialer.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 148
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1388

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Public\stt.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Public\PXOR.bat
3⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1648

C:\Windows \System32\Netplwiz.exe
"C:\Windows \System32\Netplwiz.exe"
4⤵
- Executes dropped EXE
PID:1320

C:\Windows \System32\Netplwiz.exe
"C:\Windows \System32\Netplwiz.exe"
4⤵
- Executes dropped EXE
PID:1344

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\NETUTILS.dll
MD5
39507d772c63ca496a25a14a8b5d14b2

SHA1
5b603f5c11eb9ab4313694315b4d4894ff4641d4

SHA256
36d1fa474cd8271f9b74b9481025614b6ff309f767f69d9f1ff3960c7205ad12

SHA512
0c740fd7b6d67d9938b0d8e1ea7d6c41910dd6d0b85b4ec8b6015ff8c0c73798dee01f01da0b5b0c07038663aca7945faca0e2b5afc1cb751aaba7567d332f5f

Download Submit
C:\Users\Public\Netplwiz.exe
MD5
f94b7fb6dac49844d03c7087b2d8b472

SHA1
0e84139fced0ee8ef929d0bd5f01559a7dcf1db0

SHA256
46e31f337ed0d9a6fe3f159abc91c9b9b6a6062982bbcd84a51784d7128e7ae4

SHA512
d63878f94f7699e4cc63c2cd885c29455e0c423d32dba750e4fc3aa74dbaca80a1a4b176719213b9fc6584de6a40cddff7864c7fb4cfba13dfcb437a36e41b80

Download Submit
C:\Users\Public\PXOR.bat
MD5
0d8aef656413642f55e0902cc5df5e6f

SHA1
73ec56d08bd9b3c45d55c97bd1c1286b77c8ff49

SHA256
670f94b92f45bc2f3f44a80c7f3021f874aa16fde38ed7d7f3ebed13ae09fa11

SHA512
efe690b1bcf06e16be469622b45c98b5dc1f1e06410cbf7e7dccb2975524c4d6bc7e23de9a129d50d73cd924f02e23f925555894f2c7da1064dcc57151f50876

Download Submit
C:\Users\Public\stt.bat
MD5
8a850253c31df9a7e1c00c80df2630d5

SHA1
e3da74081b027a3b591488b28da22742bcfe8495

SHA256
8fdeba3ec903bde700342083d16f72452366aa0b1b30d0e58dee0af74cebfa35

SHA512
30510bdc34680a0865a0811d9be29dec91c74717feccd58c9b4d88e77be9e5d13a539806a1b2901aff595b2fe2cc45926b69ed42e899d2dd2913c78a732e84d1

Download Submit
C:\Windows \System32\Netplwiz.exe
MD5
f94b7fb6dac49844d03c7087b2d8b472

SHA1
0e84139fced0ee8ef929d0bd5f01559a7dcf1db0

SHA256
46e31f337ed0d9a6fe3f159abc91c9b9b6a6062982bbcd84a51784d7128e7ae4

SHA512
d63878f94f7699e4cc63c2cd885c29455e0c423d32dba750e4fc3aa74dbaca80a1a4b176719213b9fc6584de6a40cddff7864c7fb4cfba13dfcb437a36e41b80

Download Submit
C:\Windows \System32\Netplwiz.exe
MD5
f94b7fb6dac49844d03c7087b2d8b472

SHA1
0e84139fced0ee8ef929d0bd5f01559a7dcf1db0

SHA256
46e31f337ed0d9a6fe3f159abc91c9b9b6a6062982bbcd84a51784d7128e7ae4

SHA512
d63878f94f7699e4cc63c2cd885c29455e0c423d32dba750e4fc3aa74dbaca80a1a4b176719213b9fc6584de6a40cddff7864c7fb4cfba13dfcb437a36e41b80

Download Submit
memory/544-82-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/544-81-0x0000000010540000-0x0000000010564000-memory.dmp

Filesize
144KB

Download
memory/544-78-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/544-80-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/544-66-0x0000000000000000-mapping.dmp

Download
memory/1388-69-0x0000000000000000-mapping.dmp

Download
memory/1388-84-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/1632-63-0x00000000004D0000-0x00000000004EA000-memory.dmp

Filesize
104KB

Download
memory/1632-62-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/1632-61-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/1632-60-0x0000000075551000-0x0000000075553000-memory.dmp

Filesize
8KB

Download
memory/1648-83-0x00000000007C0000-0x00000000008B5000-memory.dmp

Filesize
980KB

Download
memory/1648-71-0x0000000000000000-mapping.dmp

Download
memory/1804-68-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing