1018d102af9093b9a03abe9a660360db6be8f752d992bb7159475fccd78949f5

General

Target

Statement SKBMT 09418.exe
Size

993KB
MD5

16fdc46350203434497e1741ea5cd20a
SHA1

f75824509e9ce1b77194724fd34c60bc0c9d28f1
SHA256

1018d102af9093b9a03abe9a660360db6be8f752d992bb7159475fccd78949f5
SHA512

a71d6af40387a94c52d54438fea392969f5f0a330867dc7a2d05de5c07fdfb26724270ca3bbbfaf1ceddd2338254eb158e9ada092fa622315627f0b0553fee12

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 2 IoCs

Processes:

Statement SKBMT 09418.exeStatement SKBMT 09418.exe

description	pid	process	target process
PID 3176 set thread context of 2924	3176	Statement SKBMT 09418.exe	Statement SKBMT 09418.exe
PID 2924 set thread context of 680	2924	Statement SKBMT 09418.exe	InstallUtil.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1384 680 WerFault.exe InstallUtil.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Statement SKBMT 09418.exe

pid process

2924 Statement SKBMT 09418.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Statement SKBMT 09418.exe

pid process

2924 Statement SKBMT 09418.exe
2924 Statement SKBMT 09418.exe

pid	pid_target	process	target process
1384	680	WerFault.exe	InstallUtil.exe

pid	process
2924	Statement SKBMT 09418.exe

pid	process
2924	Statement SKBMT 09418.exe
2924	Statement SKBMT 09418.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Statement SKBMT 09418.exeStatement SKBMT 09418.exe

description	pid	process	target process
PID 3176 wrote to memory of 2924	3176	Statement SKBMT 09418.exe	Statement SKBMT 09418.exe
PID 3176 wrote to memory of 2924	3176	Statement SKBMT 09418.exe	Statement SKBMT 09418.exe
PID 3176 wrote to memory of 2924	3176	Statement SKBMT 09418.exe	Statement SKBMT 09418.exe
PID 3176 wrote to memory of 2924	3176	Statement SKBMT 09418.exe	Statement SKBMT 09418.exe
PID 3176 wrote to memory of 2924	3176	Statement SKBMT 09418.exe	Statement SKBMT 09418.exe
PID 3176 wrote to memory of 2924	3176	Statement SKBMT 09418.exe	Statement SKBMT 09418.exe
PID 3176 wrote to memory of 2924	3176	Statement SKBMT 09418.exe	Statement SKBMT 09418.exe
PID 3176 wrote to memory of 2924	3176	Statement SKBMT 09418.exe	Statement SKBMT 09418.exe
PID 2924 wrote to memory of 680	2924	Statement SKBMT 09418.exe	InstallUtil.exe
PID 2924 wrote to memory of 680	2924	Statement SKBMT 09418.exe	InstallUtil.exe
PID 2924 wrote to memory of 680	2924	Statement SKBMT 09418.exe	InstallUtil.exe
PID 2924 wrote to memory of 680	2924	Statement SKBMT 09418.exe	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\Statement SKBMT 09418.exe
"C:\Users\Admin\AppData\Local\Temp\Statement SKBMT 09418.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3176
- C:\Users\Admin\AppData\Local\Temp\Statement SKBMT 09418.exe
  "C:\Users\Admin\AppData\Local\Temp\Statement SKBMT 09418.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
    3⤵
    PID:680
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 88
      4⤵
      Program crash
      PID:1384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/680-130-0x0000000000412452-mapping.dmp

Download
memory/2924-125-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2924-126-0x00000000004024E0-mapping.dmp

Download
memory/3176-121-0x0000000005020000-0x0000000005024000-memory.dmp

Filesize
16KB

Download
memory/3176-119-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/3176-120-0x0000000005190000-0x0000000005191000-memory.dmp

Filesize
4KB

Download
memory/3176-114-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/3176-122-0x0000000005050000-0x000000000554E000-memory.dmp

Filesize
5.0MB

Download
memory/3176-123-0x0000000005CF0000-0x0000000005D82000-memory.dmp

Filesize
584KB

Download
memory/3176-124-0x0000000008240000-0x0000000008294000-memory.dmp

Filesize
336KB

Download
memory/3176-118-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/3176-117-0x0000000005550000-0x0000000005551000-memory.dmp

Filesize
4KB

Download
memory/3176-116-0x0000000004F50000-0x0000000004F51000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing