230968a851572a9d90d1378b9edaed330450880a9f8c2fcdf2b275df8f1aa11d

General

Target

230968a851572a9d90d1378b9edaed330450880a9f8c2fcdf2b275df8f1aa11d.exe
Size

1.5MB
MD5

06b138680b94a1c616c08171b46188eb
SHA1

4a8b7c237f5fe553856f34c88f3ba13028cbb0f2
SHA256

230968a851572a9d90d1378b9edaed330450880a9f8c2fcdf2b275df8f1aa11d
SHA512

cc677273e38a543d6f6c8411dc2bc871005d277b5ef424bebb512414174ce7f768b1d434b19734470665ba418c562c917c5e275fb8557d63869d99b389578e9a

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

internal230968a851572a9d90d1378b9edaed330450880a9f8c2fcdf2b275df8f1aa11d.exe

pid process

3508 internal230968a851572a9d90d1378b9edaed330450880a9f8c2fcdf2b275df8f1aa11d.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

420 3508 WerFault.exe internal230968a851572a9d90d1378b9edaed330450880a9f8c2fcdf2b275df8f1aa11d.exe

pid	pid_target	process	target process
420	3508	WerFault.exe	internal230968a851572a9d90d1378b9edaed330450880a9f8c2fcdf2b275df8f1aa11d.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
420	WerFault.exe
420	WerFault.exe
420	WerFault.exe
420	WerFault.exe
420	WerFault.exe
420	WerFault.exe
420	WerFault.exe
420	WerFault.exe
420	WerFault.exe
420	WerFault.exe
420	WerFault.exe
420	WerFault.exe
420	WerFault.exe
420	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 420 WerFault.exe
Token: SeBackupPrivilege 420 WerFault.exe
Token: SeDebugPrivilege 420 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	420	WerFault.exe
Token: SeBackupPrivilege	420	WerFault.exe
Token: SeDebugPrivilege	420	WerFault.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

internal230968a851572a9d90d1378b9edaed330450880a9f8c2fcdf2b275df8f1aa11d.exe

pid	process
3508	internal230968a851572a9d90d1378b9edaed330450880a9f8c2fcdf2b275df8f1aa11d.exe
3508	internal230968a851572a9d90d1378b9edaed330450880a9f8c2fcdf2b275df8f1aa11d.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

230968a851572a9d90d1378b9edaed330450880a9f8c2fcdf2b275df8f1aa11d.exe

description	pid	process	target process
PID 792 wrote to memory of 3508	792	230968a851572a9d90d1378b9edaed330450880a9f8c2fcdf2b275df8f1aa11d.exe	internal230968a851572a9d90d1378b9edaed330450880a9f8c2fcdf2b275df8f1aa11d.exe
PID 792 wrote to memory of 3508	792	230968a851572a9d90d1378b9edaed330450880a9f8c2fcdf2b275df8f1aa11d.exe	internal230968a851572a9d90d1378b9edaed330450880a9f8c2fcdf2b275df8f1aa11d.exe
PID 792 wrote to memory of 3508	792	230968a851572a9d90d1378b9edaed330450880a9f8c2fcdf2b275df8f1aa11d.exe	internal230968a851572a9d90d1378b9edaed330450880a9f8c2fcdf2b275df8f1aa11d.exe

C:\Users\Admin\AppData\Local\Temp\230968a851572a9d90d1378b9edaed330450880a9f8c2fcdf2b275df8f1aa11d.exe
"C:\Users\Admin\AppData\Local\Temp\230968a851572a9d90d1378b9edaed330450880a9f8c2fcdf2b275df8f1aa11d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:792
- C:\Users\Admin\AppData\Local\Temp\nsaAD30.tmp\internal230968a851572a9d90d1378b9edaed330450880a9f8c2fcdf2b275df8f1aa11d.exe
  C:\Users\Admin\AppData\Local\Temp\nsaAD30.tmp\internal230968a851572a9d90d1378b9edaed330450880a9f8c2fcdf2b275df8f1aa11d.exe C:/Users/Admin/AppData/Local/Temp/nsaAD30.tmp /baseInstaller='C:/Users/Admin/AppData/Local/Temp/230968a851572a9d90d1378b9edaed330450880a9f8c2fcdf2b275df8f1aa11d.exe' /fallbackfolder='C:/Users/Admin/AppData/Local/Temp/nsaAD30.tmp/fallbackfiles/'
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3508
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 2064
    3⤵
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:420

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\tempo_12348

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\tempo_15732

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\tempo_29396

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaAD30.tmp\fallbackfiles\index.7ze

MD5
666ff39f5cc5d3e642f6809344e0b255

SHA1
20ddc1c9744602ae0b62fb3c06c67ee208b87b93

SHA256
020ad5922c5a97573c56dafa0b905c864647dcdf77a8f0c0df90b12c20c6c5ea

SHA512
161bae2c8c4af12b5ceec992edd566ac6782467fa4bff706dd1d9d353d96c5eb49f472d5356b398646e20e43765ebb63435c7af68a270383ac544251797192f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaAD30.tmp\internal230968a851572a9d90d1378b9edaed330450880a9f8c2fcdf2b275df8f1aa11d.exe

MD5
2badd798cb27ae44d297639de1657396

SHA1
9707d81b2699ec666d640d4c1d6a5f493eb043f8

SHA256
fd1779679e71e9892a1de041517bd0dbd8e4a0df3f65b703583106f4d5e97050

SHA512
86bf42e5117894db361e9fa8482770170f928d3a46475c9dec2dcc0530f9e834f0a14bb86b390782c46496caa2c51b77fa579b951b10b2a7e4b638b5a6c64b8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaAD30.tmp\internal230968a851572a9d90d1378b9edaed330450880a9f8c2fcdf2b275df8f1aa11d.exe

MD5
2badd798cb27ae44d297639de1657396

SHA1
9707d81b2699ec666d640d4c1d6a5f493eb043f8

SHA256
fd1779679e71e9892a1de041517bd0dbd8e4a0df3f65b703583106f4d5e97050

SHA512
86bf42e5117894db361e9fa8482770170f928d3a46475c9dec2dcc0530f9e834f0a14bb86b390782c46496caa2c51b77fa579b951b10b2a7e4b638b5a6c64b8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaAD30.tmp\internal230968a851572a9d90d1378b9edaed330450880a9f8c2fcdf2b275df8f1aa11d_icon.ico

MD5
4e9f7ef22dac6d45aa44e823e16565a2

SHA1
139fb9ae6c98e8b5aadf043d37b0489e566e54a2

SHA256
54a0489ece8e8fd08eeddd602e28781681a922d95f69c5dcdf163d07d55007e2

SHA512
c587e92daf6917ce3486689fb44d3377c4241843077a874e86898f9aff5a4d5e227710fbf7825490e818fd40d174808dd80619b1527eedf8ad4434346fc542a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaAD30.tmp\internal230968a851572a9d90d1378b9edaed330450880a9f8c2fcdf2b275df8f1aa11d_splash.png

MD5
505b1172685f588e9f25cf6b4d60b660

SHA1
45d8e947c6a20f8cf1c3fc33964376184d60db7c

SHA256
7b0f9fa3035a2df98ab4506711377b40572d1f2317dc7043114ab551d6ab3f0e

SHA512
bd65be34fd49d8c3f9879379ec480a3ee3689cdc604e64fa0c53a12925189a55fa190755c1f211d181d298362541c47e2c1ffb4dc0c4aae548052aef42e54a69

Download Submit
memory/3508-114-0x0000000000000000-mapping.dmp

Download
memory/3508-120-0x00000000032A0000-0x00000000032A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads