c8f460d0eb422d3997bc39415410875135c2c56ed58286e2013ce8bac546bbd6

General

Target

c8f460d0eb422d3997bc39415410875135c2c56ed58286e2013ce8bac546bbd6.exe
Size

1.4MB
MD5

0b6dc081f10432c7c3f63b75e162c7ef
SHA1

63fb2198cdd1313ca3a4668ae462fce44a375f71
SHA256

c8f460d0eb422d3997bc39415410875135c2c56ed58286e2013ce8bac546bbd6
SHA512

7f567a33d61f7968434a43f890af1d9132ecae9ab32f8663788e6f12f6b3753d249a6dd51e7a8106d5afa7c3aecaae55b83fec9c44d5928de130333be3a303f2

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

internalc8f460d0eb422d3997bc39415410875135c2c56ed58286e2013ce8bac546bbd6.exe

pid process

1616 internalc8f460d0eb422d3997bc39415410875135c2c56ed58286e2013ce8bac546bbd6.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4080 1616 WerFault.exe internalc8f460d0eb422d3997bc39415410875135c2c56ed58286e2013ce8bac546bbd6.exe

pid	pid_target	process	target process
4080	1616	WerFault.exe	internalc8f460d0eb422d3997bc39415410875135c2c56ed58286e2013ce8bac546bbd6.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

internalc8f460d0eb422d3997bc39415410875135c2c56ed58286e2013ce8bac546bbd6.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	internalc8f460d0eb422d3997bc39415410875135c2c56ed58286e2013ce8bac546bbd6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	internalc8f460d0eb422d3997bc39415410875135c2c56ed58286e2013ce8bac546bbd6.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

internalc8f460d0eb422d3997bc39415410875135c2c56ed58286e2013ce8bac546bbd6.exeWerFault.exe

pid	process
1616	internalc8f460d0eb422d3997bc39415410875135c2c56ed58286e2013ce8bac546bbd6.exe
1616	internalc8f460d0eb422d3997bc39415410875135c2c56ed58286e2013ce8bac546bbd6.exe
1616	internalc8f460d0eb422d3997bc39415410875135c2c56ed58286e2013ce8bac546bbd6.exe
1616	internalc8f460d0eb422d3997bc39415410875135c2c56ed58286e2013ce8bac546bbd6.exe
4080	WerFault.exe
4080	WerFault.exe
4080	WerFault.exe
4080	WerFault.exe
4080	WerFault.exe
4080	WerFault.exe
4080	WerFault.exe
4080	WerFault.exe
4080	WerFault.exe
4080	WerFault.exe
4080	WerFault.exe
4080	WerFault.exe
4080	WerFault.exe
4080	WerFault.exe
4080	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 4080 WerFault.exe
Token: SeBackupPrivilege 4080 WerFault.exe
Token: SeDebugPrivilege 4080 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	4080	WerFault.exe
Token: SeBackupPrivilege	4080	WerFault.exe
Token: SeDebugPrivilege	4080	WerFault.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

internalc8f460d0eb422d3997bc39415410875135c2c56ed58286e2013ce8bac546bbd6.exe

pid	process
1616	internalc8f460d0eb422d3997bc39415410875135c2c56ed58286e2013ce8bac546bbd6.exe
1616	internalc8f460d0eb422d3997bc39415410875135c2c56ed58286e2013ce8bac546bbd6.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

c8f460d0eb422d3997bc39415410875135c2c56ed58286e2013ce8bac546bbd6.exe

description	pid	process	target process
PID 3196 wrote to memory of 1616	3196	c8f460d0eb422d3997bc39415410875135c2c56ed58286e2013ce8bac546bbd6.exe	internalc8f460d0eb422d3997bc39415410875135c2c56ed58286e2013ce8bac546bbd6.exe
PID 3196 wrote to memory of 1616	3196	c8f460d0eb422d3997bc39415410875135c2c56ed58286e2013ce8bac546bbd6.exe	internalc8f460d0eb422d3997bc39415410875135c2c56ed58286e2013ce8bac546bbd6.exe
PID 3196 wrote to memory of 1616	3196	c8f460d0eb422d3997bc39415410875135c2c56ed58286e2013ce8bac546bbd6.exe	internalc8f460d0eb422d3997bc39415410875135c2c56ed58286e2013ce8bac546bbd6.exe

C:\Users\Admin\AppData\Local\Temp\c8f460d0eb422d3997bc39415410875135c2c56ed58286e2013ce8bac546bbd6.exe
"C:\Users\Admin\AppData\Local\Temp\c8f460d0eb422d3997bc39415410875135c2c56ed58286e2013ce8bac546bbd6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3196

C:\Users\Admin\AppData\Local\Temp\nsp13ED.tmp\internalc8f460d0eb422d3997bc39415410875135c2c56ed58286e2013ce8bac546bbd6.exe
C:\Users\Admin\AppData\Local\Temp\nsp13ED.tmp\internalc8f460d0eb422d3997bc39415410875135c2c56ed58286e2013ce8bac546bbd6.exe C:/Users/Admin/AppData/Local/Temp/nsp13ED.tmp /baseInstaller='C:/Users/Admin/AppData/Local/Temp/c8f460d0eb422d3997bc39415410875135c2c56ed58286e2013ce8bac546bbd6.exe' /fallbackfolder='C:/Users/Admin/AppData/Local/Temp/nsp13ED.tmp/fallbackfiles/'
2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 2076
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4080

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\tempo_28293
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\tempo_30115
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\tempo_7020
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp13ED.tmp\fallbackfiles\index.7ze
MD5
d26f83a2bf2f52fd4ce8da50a9be1feb

SHA1
7002f34b8bc46fde8a1d6aea8e8b06b5ab3ec493

SHA256
dae6f4eb5986f811014d02270996b13f230fe520e3045508d574883dafa99cec

SHA512
c4683053fe7ca5060b3f9d7ae3b1132ca968bb745bdec1e23ec09978c60db47546756b5f2296256aa80df761d61c680bb7073246979fe84dd01037cfc89b3155

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp13ED.tmp\internalc8f460d0eb422d3997bc39415410875135c2c56ed58286e2013ce8bac546bbd6.exe
MD5
e8ca22b2e64aa2a7e2f07b82754415cc

SHA1
3a9d0859f2f64222275535203c3be140f0f31995

SHA256
ea9e9b772ce598e25d7040c3f621a792a0e1b91c51840eecfa56fd6be22741dd

SHA512
91b3a1302fd422b21765d93e1bb7db5ad4390148aee8548f1aea331cd32650897bb71b2a890ce4d7eeb3ac6476454f52a52e3b4414c9e31fac71b8470631b460

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp13ED.tmp\internalc8f460d0eb422d3997bc39415410875135c2c56ed58286e2013ce8bac546bbd6.exe
MD5
e8ca22b2e64aa2a7e2f07b82754415cc

SHA1
3a9d0859f2f64222275535203c3be140f0f31995

SHA256
ea9e9b772ce598e25d7040c3f621a792a0e1b91c51840eecfa56fd6be22741dd

SHA512
91b3a1302fd422b21765d93e1bb7db5ad4390148aee8548f1aea331cd32650897bb71b2a890ce4d7eeb3ac6476454f52a52e3b4414c9e31fac71b8470631b460

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp13ED.tmp\internalc8f460d0eb422d3997bc39415410875135c2c56ed58286e2013ce8bac546bbd6_icon.ico
MD5
5a3ecf6c21c5f6ea64edeac6d4910236

SHA1
57c91c81870266a1f7166fcec73731d4f476cb6d

SHA256
73fcecb5c1455e9c4c1d113b98989e9146c492d9a8394396b7a5f63a34181c84

SHA512
1cbb1f006943b01033691b6a2e8e96f8887ba0d4672b73a6103511dc72688c663d275e7988b96425635bcbcdda28fc463df2f97385c13851c24b5a1d67168cda

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp13ED.tmp\internalc8f460d0eb422d3997bc39415410875135c2c56ed58286e2013ce8bac546bbd6_splash.png
MD5
2da71bd968f63580f75b4a7fb631b456

SHA1
5fb447c7a1b3eaa434dbce36b66e2f8d55a85497

SHA256
c9c816f45d366f517d1e693c1f13ebe910c3eb4f0ef6729c2d4f6dad522c2753

SHA512
c78f1ad39e8ad7835985a70db38114e08b819d4ac7b519e296d68db50bef1e06eb25071226dcb3064a89d2bb015f2e67a6d5fb404398acf56adcd4bce3eea262

Download Submit
memory/1616-114-0x0000000000000000-mapping.dmp

Download
memory/1616-120-0x0000000003050000-0x0000000003051000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads