21260151f07549ff5e1dc07ca6281d3fa876483f1dd014afde823fa0a0e0a1a2

General

Target

d0a801b89e60cb6ccf654a9baa290783.exe
Size

280KB
MD5

d0a801b89e60cb6ccf654a9baa290783
SHA1

03b0065ac6ae5667552501ba9d25c51b1bc3034d
SHA256

21260151f07549ff5e1dc07ca6281d3fa876483f1dd014afde823fa0a0e0a1a2
SHA512

daa434061ce27f202f511aa9f217d7aa945fcdab7e441c8ad8db6ac872289dae09d009950b09890065ee094db2da08950f4c9b7e59176255a570e9c4c3712575

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

d0a801b89e60cb6ccf654a9baa290783.exe

pid process

1548 d0a801b89e60cb6ccf654a9baa290783.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

960 1256 WerFault.exe d0a801b89e60cb6ccf654a9baa290783.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

WerFault.exe

pid process

960 WerFault.exe
960 WerFault.exe
960 WerFault.exe
960 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

960 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 960 WerFault.exe

pid	process
1548	d0a801b89e60cb6ccf654a9baa290783.exe

pid	pid_target	process	target process
960	1256	WerFault.exe	d0a801b89e60cb6ccf654a9baa290783.exe

pid	process
960	WerFault.exe
960	WerFault.exe
960	WerFault.exe
960	WerFault.exe

pid	process
960	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	960	WerFault.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

d0a801b89e60cb6ccf654a9baa290783.exed0a801b89e60cb6ccf654a9baa290783.exe

C:\Users\Admin\AppData\Local\Temp\d0a801b89e60cb6ccf654a9baa290783.exe
"C:\Users\Admin\AppData\Local\Temp\d0a801b89e60cb6ccf654a9baa290783.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1548

C:\Users\Admin\AppData\Local\Temp\d0a801b89e60cb6ccf654a9baa290783.exe
"C:\Users\Admin\AppData\Local\Temp\d0a801b89e60cb6ccf654a9baa290783.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 148
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:960

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nslC986.tmp\jotob.dll
MD5
4895c38c883087d6e8c1488deeff9352

SHA1
4c0c677f3b3c11c2470b9dd7bed210a5371d6746

SHA256
e854cd6f6b9585cc8f7c219375325ef1b2fa65d10313eb29c12b4ac6433b4c16

SHA512
ac0f4055941e0e74730dd8bdf6684f7cbcaa373a95381da928ab0772f1aaf0632195b979373cef1fe3d4be56e2e6a54e2c6517f11c5111eccc1c30bad2dd9347

Download Submit
memory/960-62-0x0000000000000000-mapping.dmp

Download
memory/960-64-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1256-56-0x0000000000000000-mapping.dmp

Download
memory/1256-57-0x00000000001C0000-0x00000000001DB000-memory.dmp

Filesize
108KB

Download
memory/1548-54-0x00000000762D1000-0x00000000762D3000-memory.dmp

Filesize
8KB

Download

description	pid	process	target process
PID 1548 wrote to memory of 1256	1548	d0a801b89e60cb6ccf654a9baa290783.exe	d0a801b89e60cb6ccf654a9baa290783.exe
PID 1548 wrote to memory of 1256	1548	d0a801b89e60cb6ccf654a9baa290783.exe	d0a801b89e60cb6ccf654a9baa290783.exe
PID 1548 wrote to memory of 1256	1548	d0a801b89e60cb6ccf654a9baa290783.exe	d0a801b89e60cb6ccf654a9baa290783.exe
PID 1548 wrote to memory of 1256	1548	d0a801b89e60cb6ccf654a9baa290783.exe	d0a801b89e60cb6ccf654a9baa290783.exe
PID 1548 wrote to memory of 1256	1548	d0a801b89e60cb6ccf654a9baa290783.exe	d0a801b89e60cb6ccf654a9baa290783.exe
PID 1548 wrote to memory of 1256	1548	d0a801b89e60cb6ccf654a9baa290783.exe	d0a801b89e60cb6ccf654a9baa290783.exe
PID 1548 wrote to memory of 1256	1548	d0a801b89e60cb6ccf654a9baa290783.exe	d0a801b89e60cb6ccf654a9baa290783.exe
PID 1548 wrote to memory of 1256	1548	d0a801b89e60cb6ccf654a9baa290783.exe	d0a801b89e60cb6ccf654a9baa290783.exe
PID 1548 wrote to memory of 1256	1548	d0a801b89e60cb6ccf654a9baa290783.exe	d0a801b89e60cb6ccf654a9baa290783.exe
PID 1548 wrote to memory of 1256	1548	d0a801b89e60cb6ccf654a9baa290783.exe	d0a801b89e60cb6ccf654a9baa290783.exe
PID 1548 wrote to memory of 1256	1548	d0a801b89e60cb6ccf654a9baa290783.exe	d0a801b89e60cb6ccf654a9baa290783.exe
PID 1548 wrote to memory of 1256	1548	d0a801b89e60cb6ccf654a9baa290783.exe	d0a801b89e60cb6ccf654a9baa290783.exe
PID 1548 wrote to memory of 1256	1548	d0a801b89e60cb6ccf654a9baa290783.exe	d0a801b89e60cb6ccf654a9baa290783.exe
PID 1548 wrote to memory of 1256	1548	d0a801b89e60cb6ccf654a9baa290783.exe	d0a801b89e60cb6ccf654a9baa290783.exe
PID 1256 wrote to memory of 960	1256	d0a801b89e60cb6ccf654a9baa290783.exe	WerFault.exe
PID 1256 wrote to memory of 960	1256	d0a801b89e60cb6ccf654a9baa290783.exe	WerFault.exe
PID 1256 wrote to memory of 960	1256	d0a801b89e60cb6ccf654a9baa290783.exe	WerFault.exe
PID 1256 wrote to memory of 960	1256	d0a801b89e60cb6ccf654a9baa290783.exe	WerFault.exe

Analysis

Sharing