074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51

General

Target

074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
Size

242KB
MD5

c5d02a59e543e126359998b982e87d45
SHA1

e6960b254e0215493a29471949b1ff84b6da1b59
SHA256

074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51
SHA512

6fc4f510ab3f13e0ab49d0b46b4b7a440de33b693ba6d20c6459dd59721363fbbda59975a51f78fa85d2f452fcc519595b83d80ae580c00ab75d80adbc214721

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 2796 created 488 2796 WerFault.exe 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 2796 created 488	2796	WerFault.exe	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe

Program crash 6 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
664	488	WerFault.exe	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
196	488	WerFault.exe	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
764	488	WerFault.exe	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
2296	488	WerFault.exe	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
2228	488	WerFault.exe	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
2796	488	WerFault.exe	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	process
664	WerFault.exe
664	WerFault.exe
664	WerFault.exe
664	WerFault.exe
664	WerFault.exe
664	WerFault.exe
664	WerFault.exe
664	WerFault.exe
664	WerFault.exe
664	WerFault.exe
664	WerFault.exe
664	WerFault.exe
664	WerFault.exe
664	WerFault.exe
196	WerFault.exe
196	WerFault.exe
196	WerFault.exe
196	WerFault.exe
196	WerFault.exe
196	WerFault.exe
196	WerFault.exe
196	WerFault.exe
196	WerFault.exe
196	WerFault.exe
196	WerFault.exe
196	WerFault.exe
196	WerFault.exe
196	WerFault.exe
764	WerFault.exe
764	WerFault.exe
764	WerFault.exe
764	WerFault.exe
764	WerFault.exe
764	WerFault.exe
764	WerFault.exe
764	WerFault.exe
764	WerFault.exe
764	WerFault.exe
764	WerFault.exe
764	WerFault.exe
764	WerFault.exe
764	WerFault.exe
2296	WerFault.exe
2296	WerFault.exe
2296	WerFault.exe
2296	WerFault.exe
2296	WerFault.exe
2296	WerFault.exe
2296	WerFault.exe
2296	WerFault.exe
2296	WerFault.exe
2296	WerFault.exe
2296	WerFault.exe
2296	WerFault.exe
2296	WerFault.exe
2296	WerFault.exe
2228	WerFault.exe
2228	WerFault.exe
2228	WerFault.exe
2228	WerFault.exe
2228	WerFault.exe
2228	WerFault.exe
2228	WerFault.exe
2228	WerFault.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process
Token: SeRestorePrivilege	664	WerFault.exe
Token: SeBackupPrivilege	664	WerFault.exe
Token: SeDebugPrivilege	664	WerFault.exe
Token: SeDebugPrivilege	196	WerFault.exe
Token: SeDebugPrivilege	764	WerFault.exe
Token: SeDebugPrivilege	2296	WerFault.exe
Token: SeDebugPrivilege	2228	WerFault.exe
Token: SeDebugPrivilege	2796	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
"C:\Users\Admin\AppData\Local\Temp\074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe"
1⤵
PID:488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 488 -s 660
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 488 -s 692
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 488 -s 680
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 488 -s 784
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 488 -s 816
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 488 -s 876
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2796

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/488-114-0x0000000000A50000-0x0000000000B9A000-memory.dmp

Filesize
1.3MB

Download
memory/488-115-0x0000000000400000-0x0000000000990000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads