6abec81da375b886b6e0fe09360f68980fcc3f51f00dbcdaf3a7945420e73b57

General

Target

1be75ae8266bee2a29b8846a503fbd44.exe
Size

234KB
MD5

1be75ae8266bee2a29b8846a503fbd44
SHA1

c7c70d46a08ee09f94e65cadbb86eeb706989db5
SHA256

6abec81da375b886b6e0fe09360f68980fcc3f51f00dbcdaf3a7945420e73b57
SHA512

e478fc3f17cbd151e08a96977706e3976c34bbaaf0a4dec01b7bef9d461dd78a5f6e8449d6cdf46850b20746df9887ca993befe3cce1dbe27a9eb2b7960842d0

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

1be75ae8266bee2a29b8846a503fbd44.exe

pid process

1552 1be75ae8266bee2a29b8846a503fbd44.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

328 672 WerFault.exe 1be75ae8266bee2a29b8846a503fbd44.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

WerFault.exe

pid process

328 WerFault.exe
328 WerFault.exe
328 WerFault.exe
328 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

328 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 328 WerFault.exe

pid	process
1552	1be75ae8266bee2a29b8846a503fbd44.exe

pid	pid_target	process	target process
328	672	WerFault.exe	1be75ae8266bee2a29b8846a503fbd44.exe

pid	process
328	WerFault.exe
328	WerFault.exe
328	WerFault.exe
328	WerFault.exe

pid	process
328	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	328	WerFault.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

1be75ae8266bee2a29b8846a503fbd44.exe1be75ae8266bee2a29b8846a503fbd44.exe

C:\Users\Admin\AppData\Local\Temp\1be75ae8266bee2a29b8846a503fbd44.exe
"C:\Users\Admin\AppData\Local\Temp\1be75ae8266bee2a29b8846a503fbd44.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1552

C:\Users\Admin\AppData\Local\Temp\1be75ae8266bee2a29b8846a503fbd44.exe
"C:\Users\Admin\AppData\Local\Temp\1be75ae8266bee2a29b8846a503fbd44.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 672 -s 148
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:328

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsnBFE6.tmp\xwaahew.dll
MD5
1792a656868a4d2689ed3d4b577d7426

SHA1
bb62d812490c8d3154b9f34d72d75b9c0239d820

SHA256
ec60e96dc49a9fc57aabe1a6c6fcd58bab85010916de0b299a95af44ef332dd1

SHA512
b2408f5c9d1752f01189a180912e6d985e929a95c82904028157eeda33e01a7bfb654dd7930faee97af97ec1f5162b4e7b0d7777d11ddeeb39b4c0c520aa62ff

Download Submit
memory/328-67-0x0000000000000000-mapping.dmp

Download
memory/328-69-0x0000000000550000-0x000000000057E000-memory.dmp

Filesize
184KB

Download
memory/672-57-0x0000000000000000-mapping.dmp

Download
memory/672-58-0x00000000001C0000-0x00000000001DB000-memory.dmp

Filesize
108KB

Download
memory/672-62-0x00000000001C0000-0x00000000001DB000-memory.dmp

Filesize
108KB

Download
memory/1552-55-0x0000000075B71000-0x0000000075B73000-memory.dmp

Filesize
8KB

Download

description	pid	process	target process
PID 1552 wrote to memory of 672	1552	1be75ae8266bee2a29b8846a503fbd44.exe	1be75ae8266bee2a29b8846a503fbd44.exe
PID 1552 wrote to memory of 672	1552	1be75ae8266bee2a29b8846a503fbd44.exe	1be75ae8266bee2a29b8846a503fbd44.exe
PID 1552 wrote to memory of 672	1552	1be75ae8266bee2a29b8846a503fbd44.exe	1be75ae8266bee2a29b8846a503fbd44.exe
PID 1552 wrote to memory of 672	1552	1be75ae8266bee2a29b8846a503fbd44.exe	1be75ae8266bee2a29b8846a503fbd44.exe
PID 1552 wrote to memory of 672	1552	1be75ae8266bee2a29b8846a503fbd44.exe	1be75ae8266bee2a29b8846a503fbd44.exe
PID 1552 wrote to memory of 672	1552	1be75ae8266bee2a29b8846a503fbd44.exe	1be75ae8266bee2a29b8846a503fbd44.exe
PID 1552 wrote to memory of 672	1552	1be75ae8266bee2a29b8846a503fbd44.exe	1be75ae8266bee2a29b8846a503fbd44.exe
PID 1552 wrote to memory of 672	1552	1be75ae8266bee2a29b8846a503fbd44.exe	1be75ae8266bee2a29b8846a503fbd44.exe
PID 1552 wrote to memory of 672	1552	1be75ae8266bee2a29b8846a503fbd44.exe	1be75ae8266bee2a29b8846a503fbd44.exe
PID 1552 wrote to memory of 672	1552	1be75ae8266bee2a29b8846a503fbd44.exe	1be75ae8266bee2a29b8846a503fbd44.exe
PID 1552 wrote to memory of 672	1552	1be75ae8266bee2a29b8846a503fbd44.exe	1be75ae8266bee2a29b8846a503fbd44.exe
PID 1552 wrote to memory of 672	1552	1be75ae8266bee2a29b8846a503fbd44.exe	1be75ae8266bee2a29b8846a503fbd44.exe
PID 1552 wrote to memory of 672	1552	1be75ae8266bee2a29b8846a503fbd44.exe	1be75ae8266bee2a29b8846a503fbd44.exe
PID 1552 wrote to memory of 672	1552	1be75ae8266bee2a29b8846a503fbd44.exe	1be75ae8266bee2a29b8846a503fbd44.exe
PID 672 wrote to memory of 328	672	1be75ae8266bee2a29b8846a503fbd44.exe	WerFault.exe
PID 672 wrote to memory of 328	672	1be75ae8266bee2a29b8846a503fbd44.exe	WerFault.exe
PID 672 wrote to memory of 328	672	1be75ae8266bee2a29b8846a503fbd44.exe	WerFault.exe
PID 672 wrote to memory of 328	672	1be75ae8266bee2a29b8846a503fbd44.exe	WerFault.exe

Analysis

Sharing